ASA licenses

Hi there !

Could anybody please put some light on the ASA license model? For a PIX, there were interface and user-based licenses. The ASAs also have VPN licenses but I'm pretty unsure how that works ...

Concerning interfaces, thngs are clear. In my understanding, "users" in fact mean hosts (actually different IP addresses) on the inside LAN. But how areeeee they counted? Is it addresses seen since the last reboot, ever seen since first power-on (peristently saved somewhere), simultaneous active connections through the device, or something completely different?

And what about VPN? 10 IPsec and 10 SSL connections are always built-in. Are they counted like above? Upgrade licenses only talk about additional SSL users - do they also lift up IPsec users or is IPsec always unlimited?

And am I right that a "restricted DMZ" only allows connections from and to _one_ other interface?

TIA

fw

Reply to
Frank Winkler
Loading thread data ...

I was similarly confused. I asked out dealer and they checked it out and told me the following with respect to the ASA 5505 that we puchased:

Base License comes with the box and has a 10-user license. You can also buy a 50-user or unlimited users license.

Base license has a gotcha when considering a DMZ. If you use three interfaces e.g., inside, outside and dmz, dmz cannot initiate connections to the inside.

The box also comes with a license for 10 IPSec VPN peers and 2 SSL VPN peers.

There is also a Cisco ASA 5510 Security Plus Firewall Edition Bundle which includes:

2 Gigabit Ethernet + 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 SSL VPN peers, Active/Standby high availability, 3DES/AES license. This license costs more than the ASA 5505.

They also told me that the limitation on the dmz interface is not imposed on any of the ASA 5500 series products with base license, just the ASA 5505.

Reply to
tman

When an inside host starts activity, a "container" is created for it. That container stays alive as long as there is any activity to the host. After the last activity for the host stops (e.g., UDP connections time out, TCP connections close), there is a delay and then the container times out and is removed. The "users" limit is a limit on the number of containers. The container list starts out empty at every reboot.

The above discussion is not exactly accurate (at least not for PIX 6.) When there is a static translation (host translation or static port translation) for a host, then as long as that translation goes unused, the host will act as described above. However, as soon as even a single packet uses that translation, because it is a static translation and static translations have indefinite lifetimes, the host container effectively becomes "locked in" and will be retained even if there is no activity on the host, with the previously-used static translation "holding the door open" so to speak. This will use up a user license even though there might not have been any activity on the host for weeks. There is a command to clear a particular host's container, but if you end up using that command to reclaim licenses then -probably- you don't have as many licenses as you need.

A further point to consider in this regard is that in PIX 6 (I don't know about PIX 7 or PIX 8), a translation will get activated with respect to an incoming packet *before* the interface ACL is checked to see whether that particular source/ destination combination is allowed. What this means in practice is that about 15 minutes after you conntect up (or reboot) your PIX or ASA, some idjiot on a bot-net somewhere is probably going to port-scan you and so end up activating the static translation and thus consume the user license, even though the ACL may reject the packet. You can -reduce- the incidence of this by using policy statics that specify the allowed sources instead of using a traditional static (which is valid for all sources). And perhaps Cisco fixed this issue in PIX 7 or PIX 8... I don't know.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.