PIX 501 User license

Discussion in 'Cisco' started by Rik Bain, Jul 9, 2003.

  1. Rik Bain

    Rik Bain Guest

    "show local-host"

    On Wed, 09 Jul 2003 14:02:41 -0700, Jeff Christman wrote:

    > I am having some trouble understanding the licensing for the PIX 501.
    > I have a 10 USER license but only 8 users behind the firewall. I
    > understand that it is licensed for 10 source IP addresses.
    >
    > The users utilize the internet exstensively for research and such.
    > They will have 7-10 browser open, e-mail, and other internet related
    > apps always up and running.
    >
    > Let try and scenario:
    > 1 User on 1 PC. Connects to the internet through the browser, opens
    > e-mail and leaves running, opens 2nd instance of browser. How many
    > licenses are being used?
    >
    > As I understand, this should be 1 license being used. Correct?
    >
    > Any information would greatly be appreciated
    Rik Bain, Jul 9, 2003
    #1
    1. Advertising

  2. I am having some trouble understanding the licensing for the PIX 501.
    I have a 10 USER license but only 8 users behind the firewall. I
    understand that it is licensed for 10 source IP addresses.

    The users utilize the internet exstensively for research and such.
    They will have 7-10 browser open, e-mail, and other internet related
    apps always up and running.

    Let try and scenario:
    1 User on 1 PC. Connects to the internet through the browser, opens
    e-mail and leaves running, opens 2nd instance of browser. How many
    licenses are being used?

    As I understand, this should be 1 license being used. Correct?

    Any information would greatly be appreciated
    Jeff Christman, Jul 9, 2003
    #2
    1. Advertising

  3. I have a fair idea its based on concurrent connections, eg it will only
    process x at once

    I hope this is the case, as I have bought this product for a 40 user lab(!)

    Ta

    Fat


    "Jeff Christman" <> wrote in message
    news:...
    > I am having some trouble understanding the licensing for the PIX 501.
    > I have a 10 USER license but only 8 users behind the firewall. I
    > understand that it is licensed for 10 source IP addresses.
    >
    > The users utilize the internet exstensively for research and such.
    > They will have 7-10 browser open, e-mail, and other internet related
    > apps always up and running.
    >
    > Let try and scenario:
    > 1 User on 1 PC. Connects to the internet through the browser, opens
    > e-mail and leaves running, opens 2nd instance of browser. How many
    > licenses are being used?
    >
    > As I understand, this should be 1 license being used. Correct?
    >
    > Any information would greatly be appreciated
    Fatman Superstar, Jul 9, 2003
    #3
  4. In article <beib9f$a2d$>,
    I <-cnrc.gc.ca> wrote:
    :Above, I wrote in terms of translations instead of in terms of
    :connections. The difference is significant if you have configured
    :"static" [each host static'd logically requires a container].

    :There is also a more obscure circumstance which can blow your license
    :count to bits. If the internal network on the 501 is open to a remote
    :machine (via 'static' or 'nat 0 access-list', and remote-friendly ACLs,
    :eek:r a VPN and "sysopt connection permit-ipsec"), then
    :if you ping or nmap non-existant hosts inside the 501, a translation
    :gets built for each non-existant host, and you are subject to the
    :translation timeout for each.

    :This -tends- to be more of a problem with a VPN, in that people
    :tend not to use mass 'nat 0 access-list' entries except in connection
    :with VPNs. AFAIK, the problem cannot occur with just static because
    :the necessary static's would consume your license count before you
    :got around to nmap'ing.

    Looks like I was wrong in some of the details, but had the right
    general idea.

    It turns out that if you have a static(inside,outside) then the hosts
    so named do NOT consume translation slots when the translations are
    not in use, and thus the hosts do not count against the license limit
    until they go into use.

    It also turns out, though, that translations are processed before ACL
    checking. This means that if you have a static against a host, and
    someone outside attempts to access the host, then the xlate will get
    built, decrementing your available license count, *before* the ACL
    is checked to see if the access is authorized.


    Looks like it's time to update my bug report about No Translation Group...
    [the only cure for which is to static the hosts even if they aren't
    servers.]
    --
    This is not the same .sig the second time you read it.
    Walter Roberson, Jul 12, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rik Bain

    Pix 501 license slots - part II ?

    Rik Bain, Oct 22, 2003, in forum: Cisco
    Replies:
    6
    Views:
    653
    Walter Roberson
    Oct 23, 2003
  2. Jens Haase
    Replies:
    1
    Views:
    939
    Walter Roberson
    Jan 29, 2004
  3. ants

    Pix 501 License Upgrade

    ants, Feb 15, 2005, in forum: Cisco
    Replies:
    1
    Views:
    3,327
    Walter Roberson
    Feb 15, 2005
  4. PIX 501 License Issue

    , Jul 31, 2006, in forum: Cisco
    Replies:
    0
    Views:
    417
  5. =?Utf-8?B?SmVyZW15IFdvbmcg6buD5rOT6YeP?=

    Request for a downgrade from x64 OEM license to 32-bit OEM license

    =?Utf-8?B?SmVyZW15IFdvbmcg6buD5rOT6YeP?=, Aug 23, 2005, in forum: Windows 64bit
    Replies:
    58
    Views:
    2,680
    Cari \(MS-MVP\)
    Sep 23, 2005
Loading...

Share This Page