Cisco ASA 5505 :: Techniques for limiting consumed hosts (max 10 with base license)

Solution 1:

It isn't nice but putting a NAT router in between the ASA and your internal network will limit the number of hosts the ASA counts, since it will only count the NAT router, and nothing behind it as a host.

The upgrade to a higher number isn't that expensive in my experience - probably worth paying that than dealing with the hassle of NATing your internal network.

In my experience Cisco have taken a LONG time to issue upgrade keys - so make sure to place your order in good time. I used the NAT trick to get a remote (remote as in Kinshasa) network up and running when I found the 10 hosts issue during a site visit. That tided us over until Cisco got us the upgrade, and we could reconfigure the ASA.

You might not have to use NAT - I think just having a routed subnet would probably work, but I haven't tried that.

Solution 2:

The question was essentially: without upgrading, what techniques can one employ to conserve host usage. @dunxd was the closest so he gets the nod, although the expense of sticking a router between the ASA and servers is greater than the upgrade (setup in a colo facility, pay $$ per U per month)

For future ASA newbies, the 10 host limit applies to any internal interface (dmz or private) that initiates or receives traffic to/from the outside. So, in my case I have a web server NIC set on DMZ interface 172.16.x.x with 5 aliases x.2, x.3, etc. Host count is 6. I also have 2 name servers on the DMZ which bring the host count to 8. That's fine, in-line with license terms. However, check this out:

If you VPN into your ASA and then SSH into 1 of the internal servers on a private interface, that too will increment your host count. A bit shady, IMO, when I ssh into the dmz web server on its 10.1.x.x NIC (private interface) that that counts as a host (already getting 6X host count for the dmz interface on this SAME machine). At any rate, VPN access is not considered local access, even though you bypass any access-lists applicable to "true" outside users and are effectively working on the inside.

This latter point Cisco TAC has nothing do say about, but, sorry, "can't comment on that", as in, yes, I agree, but like my job.

In the end you have to upgrade. Just tough to justify the expense in a budget hosting setup -- it's like increasing taxes for the poor during a recession. Cisco takes their cheapest device, then applies restrictions on its use that make it non-usable for anything beyond the simplest use cases. Bah, rant over ;-) Hope this helps future newbies...

Solution 3:

$300 buys an upgrade to your license. That may be a better long- term solution.