Cisco ASA 5505 User License Explained
I get a lot of questions regarding the meaning of user license numbers for the Cisco ASA 5505. This model is offered in three User License options. 10 users, 50 users and UL (unrestricted license). The meaning of user license basically refers to concurrent IP addresses that can communicate between Internal (inside) network and Internet (outside) interface. So, for 10 user license, only 10 concurrent internal hosts (IP addresses) can access the internet. The same applies for 50 users (only 50 concurrent IP addresses can access the Internet). For UL license, there is no such restriction.
The user licensing has also an effect on the maximum number of IP addresses that can be assigned by the DHCP server of the ASA5505 to the internal hosts. For a 10-user license, the max number of DHCP clients on the internal network is 32. For 50-user license, the max number of DHCP clients is 128.
The official explanation from Cisco regarding the Cisco ASA5505 user licensing is as follows:
“In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits. “
The terms “Business” and “Home” VLANs above refer to the Internal and DMZ network zones.
Related posts:
- License Upgrade on Cisco ASA 5505 (or 5500)
- Cisco ASA 5505 Network Port Interfaces
- Cisco ASA 5505 Basic Configuration Tutorial
Tagged with: cisco asa 5505 user license
Filed under: Cisco ASA Hardware
Like this post? Subscribe to my RSS feed and get loads more!
Hi,
if I have 15 Clients in my Network, and 5 of them dont need any internet access, can I manage the Clients which will have access to the internet in ASA ? (or vice versa)
Thx
Best Regards
Mark,
Yes, you can configure static IP addresses to the clients and manage them per IP address. This will consume only 10 users in the license capacity.
OK,
thx for this solution.
And on the Clients with no internet, I had to configure only the IP Adresse and the Subnet. Now I leave the field “Default Gateway” blank and they have no internet access !?
Yes, if you leave the default gateway blank they will not have internet access. Another option is to block their IP address from the ASA firewall.
Thank you for explaining this!
I’m wondering about the definition of “concurrent”. Consider a household of 4, where each person has a desktop, laptop, and other device (ipad, nook, xbox, etc.). Throw in a streaming media box, a linux fileserver, phones that connect through wifi, etc., and the number of total devices can easily hit 15-20. Are these considered concurrent devices if they’re not actively being used?
BT,
No, all these devices will not be counted as concurrent if they don’t access the Internet.
I have an ASA-5505 with the base license. The inside has 3 Virtual Servers, each running about 40 websites. the vast majority of traffic then is obviously “inbound”. According to the Cisco explanation, “Internet hosts are not counted towards the limit.” To me this means that I should have no problems with lots of folks browsing my sites from the Internet side. However, most of my sites experience no access, access, no access, on and on all day long.
Am I reading their explanation wrong?
KK,
If the websites do not initiate any traffic towards the Internet, then they do not count towards the host limit.
However, in your case it seems that your problem of no-access maybe due to limitations of the performance of the ASA5505. Having 40 websites behind a 5505 is too much. Maybe the theoretical performance specs given by Cisco seem enough but these specs are measured for a device with minimal configuration and requirements. After adding ACLs and other config these specs drop significantly.
Thanks. That is pretty much the way I was leaning just based on the total randomness of the problem. It is interesting though that the ASDM graphs for CPU and memory never went very high. I was expecting to see something “pegged”.