Was not aware that ASA 5505 base license restricts number of concurrent hosts to 10 (RTFM, I know). Running a "show local-host" I see my host count at 8, a bit too close for comfort with a production web server sitting behind the ASA.
Investigating further, I see a couple of hosts counted that are restricted to VPN access only, which surprised me since these are internal hosts that do not receive nor initiate traffic to/from outside. Or so I thought, looks like the 2 internal hosts in question (Linux boxes) periodically send a single UDP packet over port 123 to outside NTP servers to keep correct system time. That's a bit severe, no? Single packet counts as a host, ouch.
At any rate, thinking I can preserve these 2 hosts by using one the publicly accessible servers as an NTP server, rather than going outside to public NTP server to get the current time. Basically I'd like host count to go against:
1) our 2 name servers 2) production web server accepting 4 NAT'd public-to-dmz IPs
and not against private servers that simply need their system times up-to-date.
Also, just to clarify, host count is based on any internal interface that receives/initiates traffic to/from the outside? In other words, a server on private 10.1.x.x that has no connectivity to the outside is NOT counted as a host.
For the time being I need to stay within base license 10 host limit, but will obviously upgrade to 50 user license as capacity needs increase.