Solved

Cisco ASA 5505 host license limit workaround and dhcp lease time

Posted on 2014-01-12
6
2,884 Views
Last Modified: 2014-01-18
We have a Cisco ASA 5505 with a 10 host license. For several years this tiny home office didn't need more than that. But, being in a home office, the number of business hosts as well as the family's personal inventory of smart devices (tablets, phones, smart TVs) has exceeded the host limit. The business runs on Windows SBS 2008 and we currently have an Engenius wireless access point but also have other wireless routers we could deploy.

My first question is simply this: how do I get the ASA to open up unused host connections when devices have left the building or been turned off? It seems like the machine keeps some connections a long time, even when the device has been shutdown. Is this related to DHCP lease times? If so, do I just need to shorten the lease time to something like 600 seconds (10 minutes)?

Will a short lease time create excessive overhead traffic?

The second question is: Should I set up a separate home network on another wireless router and use NAT to keep that traffic on a single address going to the ASA since it generally should not need to see any of the business LAN devices? We have a Comcast business Internet gateway, so maybe I can just plug that other router straight into the cable modem... guess I better look at the box and see if it has more LAN ports for that.
0
Comment
Question by:Shannon Mollenhauer
  • 3
  • 3
6 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39774840
Had the exact same issue with my 10 user license ASA. Those personal wireless devices add up fast!  :-)

I ended up getting a 50 user license.

But in the interm, I created a separate wireless network that NATed to the ASA. So all wireless devices only counted as one device as far as the ASA was concerned.  

IIRC, the command to clear an existing connection is "clear local-host <ip address>".
0
 

Author Comment

by:Shannon Mollenhauer
ID: 39774999
Thanks for the suggestion. I'm not going to be using CLI repeatedly, but I'll use the clear command to test the release of connections. I'd still appreciate anyone's advice on whether the dhcp lease time being much shorter will accomplish the same clearing effect.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39775008
Oh... Sorry. I didn't see where you were going with the DHCP lease idea.

I don't think that's going to help since the DHCP table is separate from the connection table.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:Shannon Mollenhauer
ID: 39791269
We ended up putting a cheap netgear wireless router on another port on the Comcast gateway and moving non-business devices to that network. Still evaluating whether to upgrade the licenses on the Cisco ASA, replace it, or keep things as-is. Shortened lease time might have helped the ASA recognize that a device has been off the network for a while and not actively using a connection, but I can't verify that with my limited knowledge of the device. Closing the question for now.
0
 

Author Comment

by:Shannon Mollenhauer
ID: 39791356
I've requested that this question be closed as follows:

Accepted answer: 0 points for smollenhauer's comment #a39791269

for the following reason:

Suggestions by others didn't answer the original question. Workaround in place for now.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
ID: 39791350
I believe that I answered both questions.

Changing the DHCP lease will not affect the connection table.  And adding a second network using NAT will reduce the number of connections against the license.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now