PIX501 user connections

I have a PIX501 I am using only for a VPN connection as backup to a T-1 circuit. It has a 10 user liscence on it. My question will the PIX just route the 20 users at the office or do I need a different liscence? All traffic will only be going over the VPN with no NAT'ing.

Reply to
Loading thread data ...

It isn't clear in your question as to whether the 20 users are "inside" or "outside" relative to the PIX.

The license limit is the number of distinct inside hosts that are talking to the outside or which have active translations. If you have a static() for a host, then as soon as that static gets used the first time (since boot), that host gets locked in as active until the next reset/boot.

If your 20 users are "inside" and connecting out via VPN, then they will still need to use up license slots, and you will likely need the license increment (unless less than half are active on average.)

If your 20 users are remote, connecting through individual VPN client connections, then the applicable license is the number of IKE peers, which is distinct from the 10 user license. Unfortunately, the number of IKE peers is relatively small for a PIX 501, and cannot be increased by license changes (but PIX 6.3 increased the limit relative to 6.2 if I recall correctly.)

If your 20 users are remote, connecting through a site-to-site tunnel (e.g., another PIX 501 at the other end), then that would only be one IKE peer, and the limit would become the number of internal devices they are communicating with.

Reply to
Walter Roberson


10-to-50 user upgrade license for Cisco PIX 501


10-to-unlimited user upgrade license for Cisco PIX 501 (requires Cisco PIX Security Appliance Software Version 6.3)


Brad Reese

formatting link

Reply to

The users are inside and I am only going to 1 ike peer.

access-list DONOTNAT permit ip

ip address outside X.X.X.X

ip address inside

nat (inside) 0 access-list DONOTNAT

sysopt connection permit-ipsec

crypto ipsec transform-set OTGSET esp-3des esp-md5-hmac

crypto map TOOTG 10 ipsec-isakmp

crypto map TOOTG 10 match address DONOTNAT

crypto map TOOTG 10 set peer X.X.X.X

crypto map TOOTG 10 set transform-set OTGSET

crypto map TOOTG interface outside

isakmp enable outside

isakmp key ****** address X.X.X.X netmask no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Reply to

The license limits on a PIX 501 *do* apply to nat 0 access-list hosts that have active conversations.

Reply to
Walter Roberson

Thank you for explaining that for me. I now get order 50 user liscences for a couple of my offices. Thanks again for replying quickly

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.