Was not aware that ASA 5505 base license restricts number of concurrent hosts to 10 (RTFM, I know). Running a "show local-host" I see my host count at 8, a bit too close for comfort with a production web server sitting behind the ASA.
Investigating further, I see a couple of hosts counted that are restricted to VPN access only, which surprised me since these are internal hosts that do not receive nor initiate traffic to/from outside. Or so I thought, looks like the 2 internal hosts in question (Linux boxes) periodically send a single UDP packet over port 123 to outside NTP servers to keep correct system time. That's a bit severe, no? Single packet counts as a host, ouch.
At any rate, thinking I can preserve these 2 hosts by using one the publicly accessible servers as an NTP server, rather than going outside to public NTP server to get the current time. Basically I'd like host count to go against:
1) our 2 name servers
2) production web server accepting 4 NAT'd public-to-dmz IPs
and not against private servers that simply need their system times up-to-date.
Also, just to clarify, host count is based on any internal interface that receives/initiates traffic to/from the outside? In other words, a server on private 10.1.x.x that has no connectivity to the outside is NOT counted as a host.
For the time being I need to stay within base license 10 host limit, but will obviously upgrade to 50 user license as capacity needs increase.
Best Answer
It isn't nice but putting a NAT router in between the ASA and your internal network will limit the number of hosts the ASA counts, since it will only count the NAT router, and nothing behind it as a host.
The upgrade to a higher number isn't that expensive in my experience - probably worth paying that than dealing with the hassle of NATing your internal network.
In my experience Cisco have taken a LONG time to issue upgrade keys - so make sure to place your order in good time. I used the NAT trick to get a remote (remote as in Kinshasa) network up and running when I found the 10 hosts issue during a site visit. That tided us over until Cisco got us the upgrade, and we could reconfigure the ASA.
You might not have to use NAT - I think just having a routed subnet would probably work, but I haven't tried that.