PIX licencing question

yep and the upgrade from 10 to 50 will cost almost as much as the PIX501 itself ...

Not exactly.

The license works on the basis of the number of active "local hosts". Here are some guidelines, deduced or drawn from conversations with the TAC:

- For the 10 user license, you are allowed 10 active "local hosts". You can see the current local hosts via "show local".

- If you are using nat/global then when an internal host wants to talk to the outside, a "local host container" will be allocated to it. That local host container will continue to exist as long as there are any active translations from that host, plus another few (10 or so) seconds after that. There is no way to configure the duration of that extra little delay.

- An internal host will have an active translation if it has a TCP connection to the outside (until the connection is closed or times out due to inactivity). A TCP connection which happens to have "keep-alive" traffic will never time out due to inactivity [provided that the keep-alives happen more often than the TCP timeout -- which is usually about 8 hours]

- An internal host will have an active translation to the outside if it has a UDP connection which has not yet timed out (default: 2 minutes with no traffic on the connection.)

- An internal host will have an active translation if it is doing icmp; the icmp timeout is about 30 seconds by default

- An internal host will have an active translation to the outside if it is using some other protocol, such as GRE or ESP (used if it is running VPN client software to a remote server.)

- UDP is based purely on timeouts, whereas for TCP the state of the connection is also monitored. TCP timeouts are not the norm, but will happen in some configurations, especially if you have internal hosts talking to an external Exchange server. There is a single timeout parameter controlling all of the varieties of traffic that are not TCP, UDP, or ICMP.

- After the last active connection for a host terminates or times out, there is a translation timeout period, which is configurable. It is not until after that translation timeout that the local host container becomes eligible for reclaiming, which will be done at the convenience of the PIX.

- The overall key point here is that for the nat/global case, when an internal host stops talking to the outside and has closed all of its tcp connections, then after a brief delay the license will be "given back" and can then be used by another host.

- Another key point here is that for the nat/global case, an internal host which never talks to the outside will never use up a license. In particular, if your network printers are only talked to by inside hosts, and the network printers have not been configured to request DNS or WINS service from an external host, then the network printers will not count towards the license total.

- If you have a "static" or "nat 0 access-list" then those count as translations, but they will not be part of a local-host container until they are first activated by traffic that actually makes use of the static or nat 0 access-list.

- Once activated by traffic, "static" and "nat 0 access-list" translations will never time out in a local-host container, so that local-host container will persist (and count towards the license) until the next reboot or "clear local-host", even if there is no traffic for months.

- Hence, an *unused* "static" or "nat 0 access-list" translation does not count towards the limit, but as soon as it is used even a little it will latch the license and not let it go.

- Important point: if you have a "static" or "nat 0 access-list" and someone from outside attempts to connect to that host, then the translation will be activated *before* the access-lists are checked. Therefore if you have a static and someone port-scans that IP, the static will get activated and use up a license slot for the rest of the PIX boot session, even if no traffic is ever permitted through the firewall.

- VPN traffic is often handled through "nat 0 access-list", so VPN traffic will usually latch the licenses as described above.

- I never remember whether "nat 0" (without "access-list") creates a temporary translation (nat/global) or a permanent one (static/ nat 0 access-list).

- It is possible that Cisco handles some VPN traffic differently and knows enough to release the license for (say) PPTP traffic. I have not tested or inquired about this point; it is best not to count on it.

Overall, what this suggests for your situation is:

1) Use a local DNS and local WINS server and configure your internal hosts to -only- talk to them for name resolution.

2) If your network printers are not used by remote hosts then check them to ensure they only draw upon local resources such as the local DNS and WINS server mentioned above

3) Conserve local-host containers by using nat/global instead of "static" for hosts that do not act as servers.

4) Put up a proxy server and run as many kinds of traffic through there as practical -- in particular, run plain HTTP traffic through it. This will concentrate the HTTP connections through a single internal host (and hence only use one local-host container instead of one per simultaneous HTTP)

5) Sometimes the least expensive approach is just to pay for the license increment: the above approaches require parts and time and disruption whose value could easily exceed the cost of going for the next license.