I have a PIX501 I am using only for a VPN connection as backup to a T-1 circuit. It has a 10 user liscence on it. My question will the PIX just route the 20 users at the office or do I need a different liscence? All traffic will only be going over the VPN with no NAT'ing.
It isn't clear in your question as to whether the 20 users are "inside" or "outside" relative to the PIX.
The license limit is the number of distinct inside hosts that are talking to the outside or which have active translations. If you have a static() for a host, then as soon as that static gets used the first time (since boot), that host gets locked in as active until the next reset/boot.
If your 20 users are "inside" and connecting out via VPN, then they will still need to use up license slots, and you will likely need the license increment (unless less than half are active on average.)
If your 20 users are remote, connecting through individual VPN client connections, then the applicable license is the number of IKE peers, which is distinct from the 10 user license. Unfortunately, the number of IKE peers is relatively small for a PIX 501, and cannot be increased by license changes (but PIX 6.3 increased the limit relative to 6.2 if I recall correctly.)
If your 20 users are remote, connecting through a site-to-site tunnel (e.g., another PIX 501 at the other end), then that would only be one IKE peer, and the limit would become the number of internal devices they are communicating with.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.