Hi Folks,
I bought the PIX 501 w/ 10 user licenses on the advice of the folks who run the colocation facility in which I put my client's gear. Well, I interpreted 10-users as referring to hosts protected by the firewall (not incoming connections). So then I get the docs and it says (p. 9 of Quick Start Guide booklet) what it considers a "host" and now I'm not sure. Here's the text from the booklet:
OK, so we're talking about DHCP limitations and NAT/PAT. Clearly those issues refer only to boxes behind the firewall, not on the WAN side, right? So does the whole question have to do with boxes talking to the switch ports, not coming in from the WAN port? But hosts from outside also "pass traffic through the PIX Firewall" and, at least in my application, "have established TCP connections" (more than a hundred of these isn't uncommon). Since it's allowing this number of outside connections to come in, does that mean I'm in the clear?
So, can someone shed some light on this? And, in particular, is there any way to see how many "hosts" the PIX thinks are in operation at the moment?
Thanks for any input. I'm just going to see what other docs I can discover in the Cisco labrinth, I mean site....
John Craig
Alpha-G Consulting, LLC
I bought the PIX 501 w/ 10 user licenses on the advice of the folks who run the colocation facility in which I put my client's gear. Well, I interpreted 10-users as referring to hosts protected by the firewall (not incoming connections). So then I get the docs and it says (p. 9 of Quick Start Guide booklet) what it considers a "host" and now I'm not sure. Here's the text from the booklet:
Active Host Limitation
The PIX 501 supports up to 32 DHCP address leases with a 10-user license, up to 128 with an optional 50-user license, and 256 with an unlimited license. A host is considered active when any of the following statements are true:
[ul]
[li]The host has passed traffic through the PIX Firewall in the last 30 seconds.[/li]
[li]The host has an established NAT/PAT translation through the PIX firewall.[/li]
[li]The host has an established TCP connection or UDP session through the PIX firewall.[/li]
[li]The host has an established user authentication through the PIX firewall.[/li]
[/ul]
OK, so we're talking about DHCP limitations and NAT/PAT. Clearly those issues refer only to boxes behind the firewall, not on the WAN side, right? So does the whole question have to do with boxes talking to the switch ports, not coming in from the WAN port? But hosts from outside also "pass traffic through the PIX Firewall" and, at least in my application, "have established TCP connections" (more than a hundred of these isn't uncommon). Since it's allowing this number of outside connections to come in, does that mean I'm in the clear?
So, can someone shed some light on this? And, in particular, is there any way to see how many "hosts" the PIX thinks are in operation at the moment?
Thanks for any input. I'm just going to see what other docs I can discover in the Cisco labrinth, I mean site....
John Craig
Alpha-G Consulting, LLC