I am from a Medium Sized Service Provider providing Internet Service via Ethernet . I am fixing a ASA5550 to do Dynamic NAT.We are having 30,000 customers under the firewall who will be Dynamically Natted to around 8000 Public IP address. The problem which I am facing is , the Firewall is automaically creating a Dynamic NAT session entry when a Client PC LAN card is just plugged in ( I mention here, just plugged in, no Internet bound traffic is generated)as a result reserving a Public IP address without for any good reason. As a result we are running the risk of depleting the Public IP pool for Customers who even doesnt want to surf the Internet but for his PC which is just switched on.
After some work arounds I have figured out that this is happening due to DNS broadcast requests coming from the Client PC, but if we stop that DNS request the client cannot surf the Internet.
So, is there any way to solve the issue ? Is there any type of condition that can be specified so that Firewall will ceate the NAT session only when DNS traffic along with the WWW traffic will come from the client ?
Any suggestion is most welcome.