PIX 501 User license

Discussion in 'Cisco' started by Rik Bain, Jul 9, 2003.

  1. Rik Bain

    Rik Bain Guest

    "show local-host"
    Rik Bain, Jul 9, 2003
    1. Advertisements

  2. I am having some trouble understanding the licensing for the PIX 501.
    I have a 10 USER license but only 8 users behind the firewall. I
    understand that it is licensed for 10 source IP addresses.

    The users utilize the internet exstensively for research and such.
    They will have 7-10 browser open, e-mail, and other internet related
    apps always up and running.

    Let try and scenario:
    1 User on 1 PC. Connects to the internet through the browser, opens
    e-mail and leaves running, opens 2nd instance of browser. How many
    licenses are being used?

    As I understand, this should be 1 license being used. Correct?

    Any information would greatly be appreciated
    Jeff Christman, Jul 9, 2003
    1. Advertisements

  3. I have a fair idea its based on concurrent connections, eg it will only
    process x at once

    I hope this is the case, as I have bought this product for a 40 user lab(!)


    Fatman Superstar, Jul 9, 2003
  4. :Above, I wrote in terms of translations instead of in terms of
    :connections. The difference is significant if you have configured
    :"static" [each host static'd logically requires a container].

    :There is also a more obscure circumstance which can blow your license
    :count to bits. If the internal network on the 501 is open to a remote
    :machine (via 'static' or 'nat 0 access-list', and remote-friendly ACLs,
    :eek:r a VPN and "sysopt connection permit-ipsec"), then
    :if you ping or nmap non-existant hosts inside the 501, a translation
    :gets built for each non-existant host, and you are subject to the
    :translation timeout for each.

    :This -tends- to be more of a problem with a VPN, in that people
    :tend not to use mass 'nat 0 access-list' entries except in connection
    :with VPNs. AFAIK, the problem cannot occur with just static because
    :the necessary static's would consume your license count before you
    :got around to nmap'ing.

    Looks like I was wrong in some of the details, but had the right
    general idea.

    It turns out that if you have a static(inside,outside) then the hosts
    so named do NOT consume translation slots when the translations are
    not in use, and thus the hosts do not count against the license limit
    until they go into use.

    It also turns out, though, that translations are processed before ACL
    checking. This means that if you have a static against a host, and
    someone outside attempts to access the host, then the xlate will get
    built, decrementing your available license count, *before* the ACL
    is checked to see if the access is authorized.

    Looks like it's time to update my bug report about No Translation Group...
    [the only cure for which is to static the hosts even if they aren't
    Walter Roberson, Jul 12, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.