Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1175
  • Last Modified:

Cisco ASA 5505 (ASA5505-BUN-K9)

I have a couple questions on the ASA5505-BUN-K9 Cisco just released...

First off, I saw that this is limited to 10 users.  There will be only 5 machines or so, but one of them is a server.  How are these 10 users computed?  (where exactly is the limitation?)

Second, I will need to forward ports on to the web server.  I have a PIX 506 and can do this with that by setting up access-lists and statics to permit the traffic in.  Will I be able to do something similar with the ASA5505-BUN-K9?

Finally, the other computers on the network need to get to the web server when they try to go to the URL.  For example, if my public IP address is 4.3.2.1 and the private IP address of the web server is 192.168.1.5, the computers need to either a) get routed by the ASA to the private IP (hairpinning, which is not supported by the PIX 506) or b) use DNS trickery to make the machine go directly to the private IP (the way it's done in the PIX 506).  Will one of these options or both be available in the ASA?
0
stev0931
Asked:
stev0931
  • 7
  • 4
1 Solution
 
calvinetterCommented:
>I saw that this is limited to 10 users.
   'users' = simultaneous IPs traversing the ASA.  Similar to PIX 501 licensing - a 10-user license will only allow a max of 10 different IP devices (whether PCs, servers, routers, etc) outbound through the ASA.

>I will need to forward ports on to the web server...
  Yes, similar to a PIX, using ACLs & static NAT entries.  ACL syntax in ASA is a wee bit different.  See below for docs.

Yes, both hairpinning & DNS trickery are available in the ASA.  As in the PIX, DNS trickery would only work if the DNS server(s) that resolve your public web URL are outside the PIX/ASA.

  See also:
Command Reference:
  http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html
Config Guides:
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

cheers
0
 
stev0931Author Commented:
Terrific!  Thanks!  And thanks for the help on my other question (http://www.experts-exchange.com/Security/Firewalls/Q_22043414.html)  Will post a response on that one as soon as I've tried a few more things...
0
 
stev0931Author Commented:
Oh, so when you say simultaneous, I'm assuming that means that 10 people can be communicating at the exact same time?  Or is there a latency in releasing the "user license" like in the SonicWall?  Thanks!
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
calvinetterCommented:
You're welcome!

>I'm assuming that means that 10 people can be communicating at the exact same time?
  10 IP devices in the NAT table, essentially.  So "releasing" a slot for another host to get through depends on how long NAT entries are allowed to sit idle before being cleared.  This is set the same way as in a PIX, with:
  timeout xlate 03:00:00  <- default is 3 hr

If you already have at least 5 IP devices on your network, I'd seriously consider just getting one w/ the 50-user license, that way you won't have to worry about maxing out the NAT table, & it's usually much cheaper to get the 50-user license bundled w/ the original purchase than getting it separate later on.

cheers
0
 
stev0931Author Commented:
Good plan!
0
 
stev0931Author Commented:
So if a sh exlate looks like this:

PAT Global X.X.233.55(1877) Local 192.168.1.244(4500)
PAT Global X.X.233.55(25) Local 192.168.1.100(25)
PAT Global X.X.233.55(9452) Local 192.168.1.100(62449)
PAT Global X.X.233.55(9453) Local 192.168.1.100(1049)
PAT Global X.X.233.55(9454) Local 192.168.1.100(3499)
PAT Global X.X.233.55(9455) Local 192.168.1.100(29934)
PAT Global X.X.233.55(9456) Local 192.168.1.100(28662)
PAT Global X.X.233.55(9457) Local 192.168.1.100(9648)
PAT Global X.X.233.55(5318) Local 192.168.1.100(63122)
PAT Global X.X.233.55(5320) Local 192.168.1.100(59773)

Would this count as 10 users?  Or 2 since there are only 2 different IPs?
0
 
stev0931Author Commented:
In case another example would help...

sh xlate
27 in use, 167 most used
PAT Global X.X.233.55(9540) Local 192.168.1.100(49389)
PAT Global X.X.233.55(9542) Local 192.168.1.100(21485)
PAT Global X.X.233.55(9547) Local 192.168.1.100(58322)
PAT Global X.X.233.55(9548) Local 192.168.1.100(37075)
PAT Global X.X.233.55(9549) Local 192.168.1.100(3789)
PAT Global X.X.233.55(9550) Local 192.168.1.100(18133)
PAT Global X.X.233.55(9551) Local 192.168.1.100(25552)
PAT Global X.X.233.55(9552) Local 192.168.1.100(13009)
PAT Global X.X.233.55(9553) Local 192.168.1.100(14036)
PAT Global X.X.233.55(9554) Local 192.168.1.100(51927)
PAT Global X.X.233.55(9555) Local 192.168.1.100(11993)
PAT Global X.X.233.55(9556) Local 192.168.1.100(59095)
PAT Global X.X.233.55(1877) Local 192.168.1.244(4500)
PAT Global X.X.233.55(9516) Local 192.168.1.100(1049)
PAT Global X.X.233.55(9518) Local 192.168.1.100(29934)
PAT Global X.X.233.55(9526) Local 192.168.1.100(6891)
PAT Global X.X.233.55(9530) Local 192.168.1.100(62446)
PAT Global X.X.233.55(9531) Local 192.168.1.100(31726)
PAT Global X.X.233.55(9533) Local 192.168.1.100(24815)
PAT Global X.X.233.55(9535) Local 192.168.1.100(25068)
PAT Global X.X.233.55(5383) Local 192.168.1.100(63175)
PAT Global X.X.233.55(5389) Local 192.168.1.100(59915)
PAT Global X.X.233.55(5390) Local 192.168.1.100(63181)
PAT Global X.X.233.55(5391) Local 192.168.1.100(63182)
PAT Global X.X.233.55(5392) Local 192.168.1.100(63183)
PAT Global X.X.233.55(5393) Local 192.168.1.100(59927)
PAT Global X.X.233.55(25) Local 192.168.1.100(25)

Would this count as 27 users?  Or 2 since there are only 2 different local IPs?
0
 
calvinetterCommented:
Each of the above blocks of xlate entries would only count as 2 'users/nodes' since there are only 2 *different IPs* traversing the PIX/ASA.

cheers
0
 
stev0931Author Commented:
Thanks!  This really helps me out a ton!  I'm posting a community question so that I can adjust the points up...

Also, if I have 5 visitors on my web site server, does it count as 1 user since it's one IP on the inside?  Thanks again!
0
 
calvinetterCommented:
Thanks also!

>if I have 5 visitors on my web site server...
  Yes, only counts as 1 'user/node'.  The only thing that matters is how many internal IPs are going outbound simultaneously.

cheers
0
 
stev0931Author Commented:
Terrific!  That's the best thing I've heard all day :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now