Cisco ASA 5505 User License Explained
I get a lot of questions regarding the meaning of user license numbers for the Cisco ASA 5505. This model is offered in three User License options. 10 users, 50 users and UL (unrestricted license). The meaning of user license basically refers to concurrent IP addresses that can communicate between Internal (inside) network and Internet (outside) interface. So, for 10 user license, only 10 concurrent internal hosts (IP addresses) can access the internet. The same applies for 50 users (only 50 concurrent IP addresses can access the Internet). For UL license, there is no such restriction.
The user licensing has also an effect on the maximum number of IP addresses that can be assigned by the DHCP server of the ASA5505 to the internal hosts. For a 10-user license, the max number of DHCP clients on the internal network is 32. For 50-user license, the max number of DHCP clients is 128.
The official explanation from Cisco regarding the Cisco ASA5505 user licensing is as follows:
“In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits. “
The terms “Business” and “Home” VLANs above refer to the Internal and DMZ network zones.
Tagged with: cisco asa 5505 user license
Filed under: Cisco ASA Hardware
Like this post? Subscribe to my RSS feed and get loads more!
Hi,
if I have 15 Clients in my Network, and 5 of them dont need any internet access, can I manage the Clients which will have access to the internet in ASA ? (or vice versa)
Thx
Best Regards
Mark,
Yes, you can configure static IP addresses to the clients and manage them per IP address. This will consume only 10 users in the license capacity.
OK,
thx for this solution.
And on the Clients with no internet, I had to configure only the IP Adresse and the Subnet. Now I leave the field “Default Gateway” blank and they have no internet access !?
Yes, if you leave the default gateway blank they will not have internet access. Another option is to block their IP address from the ASA firewall.
Thank you for explaining this!
I’m wondering about the definition of “concurrent”. Consider a household of 4, where each person has a desktop, laptop, and other device (ipad, nook, xbox, etc.). Throw in a streaming media box, a linux fileserver, phones that connect through wifi, etc., and the number of total devices can easily hit 15-20. Are these considered concurrent devices if they’re not actively being used?
BT,
No, all these devices will not be counted as concurrent if they don’t access the Internet.
I have an ASA-5505 with the base license. The inside has 3 Virtual Servers, each running about 40 websites. the vast majority of traffic then is obviously “inbound”. According to the Cisco explanation, “Internet hosts are not counted towards the limit.” To me this means that I should have no problems with lots of folks browsing my sites from the Internet side. However, most of my sites experience no access, access, no access, on and on all day long.
Am I reading their explanation wrong?
KK,
If the websites do not initiate any traffic towards the Internet, then they do not count towards the host limit.
However, in your case it seems that your problem of no-access maybe due to limitations of the performance of the ASA5505. Having 40 websites behind a 5505 is too much. Maybe the theoretical performance specs given by Cisco seem enough but these specs are measured for a device with minimal configuration and requirements. After adding ACLs and other config these specs drop significantly.
Thanks. That is pretty much the way I was leaning just based on the total randomness of the problem. It is interesting though that the ASDM graphs for CPU and memory never went very high. I was expecting to see something “pegged”.
Hi, if i dont create Outside interface and no default route.
just inside and client interface.
Then can i open more than 10 concurrent sessions from inside to client side?
No, you are still restricted to 10 concurrent sessions
Thank you, and if i do PAT from Router behind the ASA. will ASA entertain it 1 inside host ? or it will do deep inspection and count it more than 10??
actually i have sent 5505 10 user ASA on client end, and i have to nat 100 Inside host to 1 PAT IP. so i think i should do it on Router that is connected behind ASA. will that work?
Yes that will probably work
We’re using the 5505 in a site-to-site VPN. We are hitting the host limit of 10. My question is: What causes the host count to be reduced? In other words, when does an IP address let go of its connection? Is there a timeout of inactivity? If so, is there a configuration option or setting that will free up a session/connection faster?
Bill,
I don’t know the exact algorithm used my cisco to determine the maximum host count, but from their description of the host limit it seems that if you execute “show local-host”, the number of active hosts of this command is the host limit. The active hosts are influenced by the “xlate” (nat translation) timeout.
So theoretically, one Exchange server could max out a connection count if it is hosting outlook web access, correct?
Jordan,
Since the license limit take into account concurrent IP addresses rather than number of connections, one Exchange server will not max out the connection count. One Exchange server will be considered one host and take up one license no matter how many connections are used.