4

Was not aware that ASA 5505 base license restricts number of concurrent hosts to 10 (RTFM, I know). Running a "show local-host" I see my host count at 8, a bit too close for comfort with a production web server sitting behind the ASA.

Investigating further, I see a couple of hosts counted that are restricted to VPN access only, which surprised me since these are internal hosts that do not receive nor initiate traffic to/from outside. Or so I thought, looks like the 2 internal hosts in question (Linux boxes) periodically send a single UDP packet over port 123 to outside NTP servers to keep correct system time. That's a bit severe, no? Single packet counts as a host, ouch.

At any rate, thinking I can preserve these 2 hosts by using one the publicly accessible servers as an NTP server, rather than going outside to public NTP server to get the current time. Basically I'd like host count to go against:

1) our 2 name servers 2) production web server accepting 4 NAT'd public-to-dmz IPs

and not against private servers that simply need their system times up-to-date.

Also, just to clarify, host count is based on any internal interface that receives/initiates traffic to/from the outside? In other words, a server on private 10.1.x.x that has no connectivity to the outside is NOT counted as a host.

For the time being I need to stay within base license 10 host limit, but will obviously upgrade to 50 user license as capacity needs increase.

virtualeyes
  • 665
  • 3
  • 10
  • 28

3 Answers3

3

The question was essentially: without upgrading, what techniques can one employ to conserve host usage. @dunxd was the closest so he gets the nod, although the expense of sticking a router between the ASA and servers is greater than the upgrade (setup in a colo facility, pay $$ per U per month)

For future ASA newbies, the 10 host limit applies to any internal interface (dmz or private) that initiates or receives traffic to/from the outside. So, in my case I have a web server NIC set on DMZ interface 172.16.x.x with 5 aliases x.2, x.3, etc. Host count is 6. I also have 2 name servers on the DMZ which bring the host count to 8. That's fine, in-line with license terms. However, check this out:

If you VPN into your ASA and then SSH into 1 of the internal servers on a private interface, that too will increment your host count. A bit shady, IMO, when I ssh into the dmz web server on its 10.1.x.x NIC (private interface) that that counts as a host (already getting 6X host count for the dmz interface on this SAME machine). At any rate, VPN access is not considered local access, even though you bypass any access-lists applicable to "true" outside users and are effectively working on the inside.

This latter point Cisco TAC has nothing do say about, but, sorry, "can't comment on that", as in, yes, I agree, but like my job.

In the end you have to upgrade. Just tough to justify the expense in a budget hosting setup -- it's like increasing taxes for the poor during a recession. Cisco takes their cheapest device, then applies restrictions on its use that make it non-usable for anything beyond the simplest use cases. Bah, rant over ;-) Hope this helps future newbies...

virtualeyes
  • 665
  • 3
  • 10
  • 28
  • I feel like the base unit is really intended for really small remote sites or to be used as a client VPN (EasyVPN) to a central location. I've successfully used 10-license firewalls, but had to restrict nearly everything (DNS, ntp, etc.). So yes, the base license is probably a bad deal. – ewwhite Oct 26 '11 at 09:09
  • I am pretty sure the deal is less bad if you buy the ASA with the 50 user license, but I can't say for sure. If the price seems high, there are other firewalls out there - you always pay a premium for Cisco, and sometimes there is value in that, other times it is questionable. – dunxd Oct 26 '11 at 11:40
  • @ewwhite, yes, you have to be more strict in your setup (use a single local ntp server, ssh over vpn on an already used interface, etc.) to conserve hosts. I'm actually running 8 host max count now with my changes, so I can roll with the base license for awhile. Once more revenue producing clients come in, sure 50 user license it will be... – virtualeyes Oct 26 '11 at 17:39
  • @dunxd, while I disagree with Cisco licensing practices, I have to say, the ASA has several advantages over Linux APF/iptables OS firewall. In other words, I really, really like the power of this little unit ;-) No doubt the learning curve is steep initially, but once you get a few TAC sessions under your belt it starts to click (SmartNET is bar none the best tech support deal on the planet) – virtualeyes Oct 26 '11 at 17:43
  • @virtualeyes - I would say the learning curve for an ASA is much less than for Linux APF/iptables if this is your first encounter with a firewall. The Cisco press book on ASA is a pretty good reference, and outlines all the features. I am a fan too. – dunxd Oct 27 '11 at 11:03
2

It isn't nice but putting a NAT router in between the ASA and your internal network will limit the number of hosts the ASA counts, since it will only count the NAT router, and nothing behind it as a host.

The upgrade to a higher number isn't that expensive in my experience - probably worth paying that than dealing with the hassle of NATing your internal network.

In my experience Cisco have taken a LONG time to issue upgrade keys - so make sure to place your order in good time. I used the NAT trick to get a remote (remote as in Kinshasa) network up and running when I found the 10 hosts issue during a site visit. That tided us over until Cisco got us the upgrade, and we could reconfigure the ASA.

You might not have to use NAT - I think just having a routed subnet would probably work, but I haven't tried that.

dunxd
  • 9,482
  • 21
  • 80
  • 117
  • hmmm, good point, I do have a gigabit switch between the servers and ASA, but I don't believe that will do NAT as you are suggesting. The switch gives me a LAN (192.16.8.x.x) outside of 10.1.x.x (private) and 172.16.x.x (dmz), so I'm planning on using that to sync up with an internal NTP server and save 3 host connections (that only go outside to get time). In the end, you're right, upgrading is the path of least resistance. Of course, I'm resisting Cisco small biz extortion, thus the question and workarounds ;-) – virtualeyes Oct 25 '11 at 11:06
  • 1
    Actually, I believe I do need NAT: client website public IPs are translated to their dmz counterparts; in the case of ssl, there's a 1-to-1 correlation between public ip and dmz address. At any rate, once I set private servers to use internal NTP server, then host count will be 8 max (6 for web server, 2 for name servers). I'll upgrade once a need for 10+ hosts arises... – virtualeyes Oct 25 '11 at 12:52
  • My hand will be forced soon, enough, looks like I can get 10 to 50 user upgrade for $230 off of CDW, not terrible, but also not great. Just means I can use the device without anxiety of dropped traffic due to exceeding 10 host limit – virtualeyes Oct 26 '11 at 08:24
2

$300 buys an upgrade to your license. That may be a better long- term solution.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • long-term yes, but short-term no. I can nip 2 from the current host count by using a local NTP server. JVM apps and databases can run off of switch 192.168.x.x which ASA knows nothing about. What will force my hand is more clients needing SSL for their sites; no way around that one (afaik), 1-to-1 public ip to dmz = host consumed, arghhh ;-) – virtualeyes Oct 25 '11 at 12:55
  • actually, as of today $230 off of CDW for 10 to 50 user upgrade... – virtualeyes Oct 26 '11 at 08:24