07-07-2010 11:38 AM
If you have an ASA with 10 host licenses, and that ASA is a spoke in a lan-to-lan VPN, how do hosts that are talking across the VPN count? I know that NAT hosts that want to go to the internet count as a host, and the 11th host will get denied , but not in a very clear way (the connection just kind of hangs as if it can’t find it or that website is down). If a PC on the inside connects to a resource on the other side of the VPN, does that count as a host license as well, or is that different?
I have a 10 user ASA 5505 that has 16 devices behind at (as shown by DHCPD bindings), 7 of which are IP phones that MOST OF THE TIME only talk to the local voice server. However they sometimes get denied talking across the VPN to other devices, and clearing the VPN and re-establishing the VPN (clear cry isa sa) will usually fix this.
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
07-07-2010 01:02 PM
Based on the license specs I understand that any host destined to talk to the internet VLAN which is your outside interface where VPN tunnel terminates, host limitation counts in the 10 user base license. You can issue on the firewall show local-host that will show per host tcp/udp connection counts . You may also use show conn
See small print (1) bellow table A-1
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wpxref1150575
Regards
07-07-2010 01:05 PM
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide