In article <4187d5ec$0$86955$> ,
simon <simonix@postottedotteledotdk> wrote:
:As we are a supporting company we often need to access our costumers
:network, so we have encouraged them to by a PIX 501 each.
:We can then access their network from our notebooks via the Cisco VPN
:client. However at our home office we have a PIX 501 ourselves, and as we
:are sitting behind this PIX, we can't access the PIX 501 at our costumers
:site. Some of the old costumers have other PIX'es for instance th PIX515,
:and these costumers can be accessed as well from behind our PIX501 as from
:any other place.
:Therefore I think there must be a configuration solution that could be
:implemented by the new PIX501 costumers so that we can access all costumers
:from anywhere. Is this theme of different models of the PIX, or how du you
:see it?
Do your customers have more than 10 internal systems that might
simultaneously be connected through the PIX 501 to the outside,
including those systems which are servers and including the
systems that you access through your VPN ?
If so, then they might be running out of license slots. The base
PIX 501 unit only allows for 10 internal systems to have simultaneously
active xlates. When internal systems are going to the outside through
nat/global, the PIX 501 normally times out the license slot a short time
after the last active connection from the machine closes. However,
if a 'static' or 'nat 0' is involved, the PIX 501 activates the license
slot as soon as it sees traffic directed to the inside host (even
if the traffic will be denied by ACLs), and the PIX 501 will then
not time out that license slot until you reboot or you go in to
configuration mode and 'clear local-host' to remove the host.
To determine whether this is the problem, connect to the PIX and
issue the command 'show local-host' and look at the first line.
If you see any non-zero number of 'denied' hosts, then the license
limit has been hit.
When this problem occurs, the potential remedies are:
- buy an extension license, to 50 or unlimited users
- buy a bigger PIX such as the 506e
- be much much more selective about what is covered by 'static'
and 'nat 0' -- but this only helps in the situation where you
have more than 10 public IPs being routed to the PIX and the
license is being exceeded because of portscans against the PIX.
In my opinion, the unlimited license for the 501 is a bad investment.
The PIX 506e is noticably faster and has no license limit, and
the cost of the license upgrade is relatively large compared to
the 506e price. I also would suggest that if there are more than
about 25 internal hosts that might be talking to the outside world, then
especially if you are doing noticable amounts of VPN traffic, that
for performance reasons it would make sense to go for the 506e instead
of the 50 user license for the 501.
Some of your customers may balk at paying about $US1000 for a 506E.
[A quick surf shows some places charging about $US890.] My response
to that would be to point to the time/money tradeoffs and the
"opportunity costs" -- the time spent on both ends trying to work
around this issue is time that neither of you is earning money, and
the labour costs on both ends quickly exceeds ~$US1000.
NB: The first couple of software revs that supported the PIX 501,
6.1(1) and 6.1(2) as I recall, had a bug such that internal hosts were
never timed out. Chances are that this isn't hitting your customers,
though, as everyone should by now have upgraded to newer software
for security reasons. [The upgrade is free, even to those without
support contracts.]
--
Caution: A subset of the statements in this message may be
tautologically true.
|
Similar Threads
