Was not aware that ASA 5505 base license restricts number of concurrent hosts to 10 (RTFM, I know). Running a 'show local-host' I see my host count at 8, a bit too close for comfort with a production web server sitting behind the ASA.Investigating further, I see a couple of hosts counted that are restricted to VPN access only, which surprised me since these are internal hosts that do not receive nor initiate traffic to/from outside. Or so I thought, looks like the 2 internal hosts in question (Linux boxes) periodically send a single UDP packet over port 123 to outside NTP servers to keep correct system time.

1. Asa 5505 No Dmz Name If You Look

That's a bit severe, no? Single packet counts as a host, ouch.At any rate, thinking I can preserve these 2 hosts by using one the publicly accessible servers as an NTP server, rather than going outside to public NTP server to get the current time. Download game spongebob squarepants. Basically I'd like host count to go against:1) our 2 name servers2) production web server accepting 4 NAT'd public-to-dmz IPsand not against private servers that simply need their system times up-to-date.Also, just to clarify, host count is based on any internal interface that receives/initiates traffic to/from the outside?

In other words, a server on private 10.1.x.x that has no connectivity to the outside is NOT counted as a host.For the time being I need to stay within base license 10 host limit, but will obviously upgrade to 50 user license as capacity needs increase. It isn't nice but putting a NAT router in between the ASA and your internal network will limit the number of hosts the ASA counts, since it will only count the NAT router, and nothing behind it as a host.The upgrade to a higher number isn't that expensive in my experience - probably worth paying that than dealing with the hassle of NATing your internal network.In my experience Cisco have taken a LONG time to issue upgrade keys - so make sure to place your order in good time.

I used the NAT trick to get a remote (remote as in Kinshasa) network up and running when I found the 10 hosts issue during a site visit. That tided us over until Cisco got us the upgrade, and we could reconfigure the ASA.You might not have to use NAT - I think just having a routed subnet would probably work, but I haven't tried that. Hmmm, good point, I do have a gigabit switch between the servers and ASA, but I don't believe that will do NAT as you are suggesting. The switch gives me a LAN (192.16.8.x.x) outside of 10.1.x.x (private) and 172.16.x.x (dmz), so I'm planning on using that to sync up with an internal NTP server and save 3 host connections (that only go outside to get time). In the end, you're right, upgrading is the path of least resistance.

Of course, I'm resisting Cisco small biz extortion, thus the question and workarounds;-)–Oct 25 '11 at 11:06. The question was essentially: without upgrading, what techniques can one employ to conserve host usage. @dunxd was the closest so he gets the nod, although the expense of sticking a router between the ASA and servers is greater than the upgrade (setup in a colo facility, pay $$ per U per month)For future ASA newbies, the 10 host limit applies to any internal interface (dmz or private) that initiates or receives traffic to/from the outside. So, in my case I have a web server NIC set on DMZ interface 172.16.x.x with 5 aliases x.2, x.3, etc. Host count is 6.

Asa 5505 No Dmz Name If You Look

I also have 2 name servers on the DMZ which bring the host count to 8. That's fine, in-line with license terms. However, check this out:If you VPN into your ASA and then SSH into 1 of the internal servers on a private interface, that too will increment your host count. A bit shady, IMO, when I ssh into the dmz web server on its 10.1.x.x NIC (private interface) that that counts as a host (already getting 6X host count for the dmz interface on this SAME machine). At any rate, VPN access is not considered local access, even though you bypass any access-lists applicable to 'true' outside users and are effectively working on the inside.This latter point Cisco TAC has nothing do say about, but, sorry, 'can't comment on that', as in, yes, I agree, but like my job.In the end you have to upgrade. Just tough to justify the expense in a budget hosting setup - it's like increasing taxes for the poor during a recession. Cisco takes their cheapest device, then applies restrictions on its use that make it non-usable for anything beyond the simplest use cases.

Bah, rant over;-) Hope this helps future newbies.