Understanding the ASA 5505 User License Restriction

Hello,

As you might have seen whenever you get an ASA 5505 out of the box from Cisco with a default license (Base License) you will see a restriction with the amount of users available through the Firewall (I know, I know, this SUCKS). The good thing is there are some licenses you can use in order to increase the amount of hosts, the bad thing is you will need to pay for it (Cisco World).

A little bit of background:

The ASA 5505, the smallest of the old ASA 5500 series is the only Cisco Firewall with that user restriction and it works like this.

  • With the base license you can have up to 10 users
  • With the license ASA5505-50-BUN-K9 you increase the users from 10 to 50
  • With the license ASA5505-UL-BUN-K9 you can forget about the restriction, that’s right unlimited users.
  • With the Security Plus license you would also forget about the restriction (plus the additional other features you get)

 

Note: The Security Plus Part ID if you are interested on ordering it’s ASA5505-SEC-BUN-K9.

And to finish this post we are going to talk about how does the count of users actually work. I mean how does the firewall determines if there are 10 users or more?

From cisco.com

“In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are notcounted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.”

OK….what does it mean?

This basically means if a host on a higher security level than the lower security interface  initiates a connection to 10 different Outside servers we will count only 1 IP address towards the local host limit  as only inside users IPs is count (remember that we must have a default route in order for the ASA to determine which one is the outside interface).

What happens if I have a web-server on the Inside and several hosts on the outside will connect to it?

In this case again only the inside host is counted again the license so only 1 host is taking into the rule even if we have hundreds of outside users connecting.

What about VPN traffic?

This is a tough one, I have seen behaviors that make think one way and then another time everything changes so my answer for this question would be the following:

Users on the other side of the tunnel will not be counted against the License restriction BUT if one of the devices on the other side initiates a connection to a host on our site, that local host will be counted as usual.

 

I want to share with you a bug that I have seen in the past regarding ASA, VPN users, U-Turn traffic and this license restrictions.

CSCsk49506

When traffic comes in and goes out the interface that has the lowest security level, the local-host built for that traffic is counted towards the host license limit.

The work-around for this is to use split-tunneling or pay for the new license (Cisco Favorite work-around).

The definite fix go to a version where the bug is not present.

 

So that’s  it! That’s what the ASA 5505 user license has to offer us.

I hope you like this quick tutorial and that help all of you out there.

 

Regards,

iNetworks