Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cisco ASA 5505 (ASA5505-BUN-K9)

Posted on 2006-11-02
Medium Priority
Last Modified: 2013-11-16
I have a couple questions on the ASA5505-BUN-K9 Cisco just released...

First off, I saw that this is limited to 10 users.  There will be only 5 machines or so, but one of them is a server.  How are these 10 users computed?  (where exactly is the limitation?)

Second, I will need to forward ports on to the web server.  I have a PIX 506 and can do this with that by setting up access-lists and statics to permit the traffic in.  Will I be able to do something similar with the ASA5505-BUN-K9?

Finally, the other computers on the network need to get to the web server when they try to go to the URL.  For example, if my public IP address is and the private IP address of the web server is, the computers need to either a) get routed by the ASA to the private IP (hairpinning, which is not supported by the PIX 506) or b) use DNS trickery to make the machine go directly to the private IP (the way it's done in the PIX 506).  Will one of these options or both be available in the ASA?
Question by:stev0931
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
LVL 20

Accepted Solution

calvinetter earned 1600 total points
ID: 17864033
>I saw that this is limited to 10 users.
   'users' = simultaneous IPs traversing the ASA.  Similar to PIX 501 licensing - a 10-user license will only allow a max of 10 different IP devices (whether PCs, servers, routers, etc) outbound through the ASA.

>I will need to forward ports on to the web server...
  Yes, similar to a PIX, using ACLs & static NAT entries.  ACL syntax in ASA is a wee bit different.  See below for docs.

Yes, both hairpinning & DNS trickery are available in the ASA.  As in the PIX, DNS trickery would only work if the DNS server(s) that resolve your public web URL are outside the PIX/ASA.

  See also:
Command Reference:
Config Guides:


Author Comment

ID: 17864148
Terrific!  Thanks!  And thanks for the help on my other question (http://www.experts-exchange.com/Security/Firewalls/Q_22043414.html)  Will post a response on that one as soon as I've tried a few more things...

Author Comment

ID: 17864153
Oh, so when you say simultaneous, I'm assuming that means that 10 people can be communicating at the exact same time?  Or is there a latency in releasing the "user license" like in the SonicWall?  Thanks!
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 20

Expert Comment

ID: 17864213
You're welcome!

>I'm assuming that means that 10 people can be communicating at the exact same time?
  10 IP devices in the NAT table, essentially.  So "releasing" a slot for another host to get through depends on how long NAT entries are allowed to sit idle before being cleared.  This is set the same way as in a PIX, with:
  timeout xlate 03:00:00  <- default is 3 hr

If you already have at least 5 IP devices on your network, I'd seriously consider just getting one w/ the 50-user license, that way you won't have to worry about maxing out the NAT table, & it's usually much cheaper to get the 50-user license bundled w/ the original purchase than getting it separate later on.


Author Comment

ID: 17864317
Good plan!

Author Comment

ID: 17867904
So if a sh exlate looks like this:

PAT Global X.X.233.55(1877) Local
PAT Global X.X.233.55(25) Local
PAT Global X.X.233.55(9452) Local
PAT Global X.X.233.55(9453) Local
PAT Global X.X.233.55(9454) Local
PAT Global X.X.233.55(9455) Local
PAT Global X.X.233.55(9456) Local
PAT Global X.X.233.55(9457) Local
PAT Global X.X.233.55(5318) Local
PAT Global X.X.233.55(5320) Local

Would this count as 10 users?  Or 2 since there are only 2 different IPs?

Author Comment

ID: 17868079
In case another example would help...

sh xlate
27 in use, 167 most used
PAT Global X.X.233.55(9540) Local
PAT Global X.X.233.55(9542) Local
PAT Global X.X.233.55(9547) Local
PAT Global X.X.233.55(9548) Local
PAT Global X.X.233.55(9549) Local
PAT Global X.X.233.55(9550) Local
PAT Global X.X.233.55(9551) Local
PAT Global X.X.233.55(9552) Local
PAT Global X.X.233.55(9553) Local
PAT Global X.X.233.55(9554) Local
PAT Global X.X.233.55(9555) Local
PAT Global X.X.233.55(9556) Local
PAT Global X.X.233.55(1877) Local
PAT Global X.X.233.55(9516) Local
PAT Global X.X.233.55(9518) Local
PAT Global X.X.233.55(9526) Local
PAT Global X.X.233.55(9530) Local
PAT Global X.X.233.55(9531) Local
PAT Global X.X.233.55(9533) Local
PAT Global X.X.233.55(9535) Local
PAT Global X.X.233.55(5383) Local
PAT Global X.X.233.55(5389) Local
PAT Global X.X.233.55(5390) Local
PAT Global X.X.233.55(5391) Local
PAT Global X.X.233.55(5392) Local
PAT Global X.X.233.55(5393) Local
PAT Global X.X.233.55(25) Local

Would this count as 27 users?  Or 2 since there are only 2 different local IPs?
LVL 20

Expert Comment

ID: 17870525
Each of the above blocks of xlate entries would only count as 2 'users/nodes' since there are only 2 *different IPs* traversing the PIX/ASA.


Author Comment

ID: 17870867
Thanks!  This really helps me out a ton!  I'm posting a community question so that I can adjust the points up...

Also, if I have 5 visitors on my web site server, does it count as 1 user since it's one IP on the inside?  Thanks again!
LVL 20

Expert Comment

ID: 17871497
Thanks also!

>if I have 5 visitors on my web site server...
  Yes, only counts as 1 'user/node'.  The only thing that matters is how many internal IPs are going outbound simultaneously.


Author Comment

ID: 17871760
Terrific!  That's the best thing I've heard all day :)

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question