I have a PIX501 I am using only for a VPN connection as backup to a T-1 circuit. It has a 10 user liscence on it. My question will the PIX just route the 20 users at the office or do I need a different liscence? All traffic will only be going over the VPN with no NAT'ing.
It isn't clear in your question as to whether the 20 users are "inside" or "outside" relative to the PIX.
The license limit is the number of distinct inside hosts that are talking to the outside or which have active translations. If you have a static() for a host, then as soon as that static gets used the first time (since boot), that host gets locked in as active until the next reset/boot.
If your 20 users are "inside" and connecting out via VPN, then they will still need to use up license slots, and you will likely need the license increment (unless less than half are active on average.)
If your 20 users are remote, connecting through individual VPN client connections, then the applicable license is the number of IKE peers, which is distinct from the 10 user license. Unfortunately, the number of IKE peers is relatively small for a PIX 501, and cannot be increased by license changes (but PIX 6.3 increased the limit relative to 6.2 if I recall correctly.)
If your 20 users are remote, connecting through a site-to-site tunnel (e.g., another PIX 501 at the other end), then that would only be one IKE peer, and the limit would become the number of internal devices they are communicating with.
PIX-501-SW-10-50=
10-to-50 user upgrade license for Cisco PIX 501PIX-501-SW-10-UL=
10-to-unlimited user upgrade license for Cisco PIX 501 (requires Cisco PIX Security Appliance Software Version 6.3)Sincerely,
Brad Reese
The users are inside and I am only going to 1 ike peer.
access-list DONOTNAT permit ip 10.0.14.0 255.255.255.0 10.3.150.0
255.255.255.0ip address outside X.X.X.X 255.255.255.252
ip address inside 10.0.14.3 255.255.255.0
nat (inside) 0 access-list DONOTNAT
sysopt connection permit-ipsec
crypto ipsec transform-set OTGSET esp-3des esp-md5-hmac
crypto map TOOTG 10 ipsec-isakmp
crypto map TOOTG 10 match address DONOTNAT
crypto map TOOTG 10 set peer X.X.X.X
crypto map TOOTG 10 set transform-set OTGSET
crypto map TOOTG interface outside
isakmp enable outside
isakmp key ****** address X.X.X.X netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
The license limits on a PIX 501 *do* apply to nat 0 access-list hosts that have active conversations.
Thank you for explaining that for me. I now get order 50 user liscences for a couple of my offices. Thanks again for replying quickly
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.