10 user limit on 501

[bytehd]

What EXACTLY is this?
an ARP table limit?
how do I clear it: clear xlate?
xlate timeout is 00:05:00

does 10 user limit mean only 10 mac addresses on the
inside can pass traffic?
If so, they need to upgrade to 50 user real quick.

Thanks,
George

George Walkey
Senior Geek in charge

http://www.insyncva.com

 

[tm7wood]

I believe it is based on the mac addr. You can clear it with the clear local-host command.

 

[bytehd]

This is what sho local-host gives:


seccorp-pix(config)# sho local-host
Interface inside: 3 active, 9 maximum active, 0 denied
local host: <192.168.120.29>,
TCP connection count/limit = 0/unlimited
TCP embryonic count = 0
TCP intercept watermark = unlimited
UDP connection count/limit = 0/unlimited
AAA:
Xlate(s):
PAT Global 24.125.128.98(264) Local 192.168.120.29 ICMP id 512
Conn(s):

local host: <192.168.120.22>,
TCP connection count/limit = 0/unlimited
TCP embryonic count = 0
TCP intercept watermark = unlimited
UDP connection count/limit = 0/unlimited
AAA:
Xlate(s):
PAT Global 24.125.128.98(2691) Local 192.168.120.22(4519)
PAT Global 24.125.128.98(2692) Local 192.168.120.22(4520)
PAT Global 24.125.128.98(2693) Local 192.168.120.22(4521)
PAT Global 24.125.128.98(2694) Local 192.168.120.22(4522)
PAT Global 24.125.128.98(2695) Local 192.168.120.22(4523)
PAT Global 24.125.128.98(2696) Local 192.168.120.22(4524)
PAT Global 24.125.128.98(4674) Local 192.168.120.22(4525)
PAT Global 24.125.128.98(4675) Local 192.168.120.22(4526)
PAT Global 24.125.128.98(4676) Local 192.168.120.22(4527)
Conn(s):

local host: <NOVELL>,
TCP connection count/limit = 10/unlimited
TCP embryonic count = 10
TCP intercept watermark = unlimited
UDP connection count/limit = 0/unlimited
AAA:
Xlate(s):
Global 24.125.128.97 Local NOVELL
Conn(s):
TCP out 24.125.128.97:25 in NOVELL:3997 idle 0:00:57 Bytes 0 flags saA
TCP out 24.125.128.97:25 in NOVELL:3998 idle 0:00:55 Bytes 0 flags saA
TCP out 24.125.128.97:25 in NOVELL:3999 idle 0:00:45 Bytes 0 flags saA
TCP out 24.125.128.97:25 in NOVELL:4000 idle 0:00:43 Bytes 0 flags saA
TCP out 24.125.128.97:25 in NOVELL:4001 idle 0:00:33 Bytes 0 flags saA
TCP out 24.125.128.97:25 in NOVELL:4002 idle 0:00:25 Bytes 0 flags saA
TCP out 24.125.128.97:25 in NOVELL:4003 idle 0:00:21 Bytes 0 flags saA
TCP out 24.125.128.97:25 in NOVELL:4004 idle 0:00:15 Bytes 0 flags saA
TCP out 24.125.128.97:25 in NOVELL:4005 idle 0:00:05 Bytes 0 flags saA
TCP out 24.125.128.97:25 in NOVELL:4006 idle 0:00:01 Bytes 0 flags saA




George Walkey
Senior Geek in charge

http://www.insyncva.com

 

[tm7wood]

What makes an entry in show local-host go away? We have entries in show local-host that are not on the network anymore.

 

[bytehd]

good question


George Walkey
Senior Geek in charge

http://www.insyncva.com

 

[ewdonsotum]

I think this is a license issue your running into. The Cisco pix firewall comes with 10 valid license, so you are limited to 10. This is a setting inherent in the OS. You need to get an OS from cisco that supports more users. Check it in the PDM.

https://192.168.1.1

and on the first screen it should tell you "inside host" and next to it you will probably see 10 no matter how many users are actually plugged in. There might be a work around. If you find it let us all know. THanks.

 

[bytehd]

i think its mac addresses?

the cisco docs say unique ips....

anyone know for sure?

George Walkey
Senior Geek in charge

http://www.insyncva.com

 

[NetworkDOC]

It is ip's, not mac. The reason I know we had a machine that was generating ip's trying to get out and propagate (a virus). It would generate all 254 of a subnet. The pix would see it and bam.... lock out whom ever wasn't already able to go out.

If you reboot the pix the local-host will reset. You can also do a cl local-host.

It is a simple upgrade to put the lic on when you need to. Just need the serial number.

 

[bytehd]

thanks!


George Walkey
Senior Geek in charge

http://www.insyncva.com

 

[br0ck]

cl arp

it's based on the arp table

if you have 11 computers behing a 10U pix and you have a host that doesnt need internet you can give a bogus GW address

or setup a proxy server and that will be 1 host to the pix

 

[AJ1982]

Or turn down the timeouts

===

Fatman Superstar (Andrew James)

CCNA, CCAI

 

[bytehd]

proxy server sounds nice, since there is only one mac addr.

just hate having to "Buy a firewall for the firewall"

heheh

George Walkey
Senior Geek in charge

http://www.insyncva.com

 

[lanbrown]

George,

Just buy the upgrade to go from 10 users to 50 or 10 to unlimited. It would cost you a couple hundred bucks for the 10 to 50 and several hundred for the unlimited.

 

[bytehd]

actually we swapped it out for other reasons
and found out that we received a 50 user instead

who whould think of crippling a firewall to make money...

oh yes, cisco.



George Walkey
Senior Geek in charge

http://www.insyncva.com

 

[LloydSev]

That's why it's a 501... if you needed more users, that's what the 506e is for... if they didn't offer a 501, people would complain because there isn't a cheaper alternative for their small networks.

It's all about the research of the product before purchasing it.

Computer/Network Technician
CCNA