Issues in Dynamic NAT in ASA 5550

Unanswered Question
Sep 23rd, 2008

Hi

I am from a Medium Sized Service Provider providing Internet Service via Ethernet . I am fixing a ASA5550 to do Dynamic NAT.We are having 30,000 customers under the firewall who will be Dynamically Natted to around 8000 Public IP address. The problem which I am facing is , the Firewall is automaically creating a Dynamic NAT session entry when a Client PC LAN card is just plugged in ( I mention here, just plugged in, no Internet bound traffic is generated)as a result reserving a Public IP address without for any good reason. As a result we are running the risk of depleting the Public IP pool for Customers who even doesnt want to surf the Internet but for his PC which is just switched on.

After some work arounds I have figured out that this is happening due to DNS broadcast requests coming from the Client PC, but if we stop that DNS request the client cannot surf the Internet.

So, is there any way to solve the issue ? Is there any type of condition that can be specified so that Firewall will ceate the NAT session only when DNS traffic along with the WWW traffic will come from the client ?

Any suggestion is most welcome.

Abhishek Pal

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alliancebroadba... Fri, 09/26/2008 - 22:21

Hi

In that case surely the Firewall will not perform the NAT . But lets assume for now that the client will be needing both DNS and www traffic to qualify for NAT translation.

We can impose this restriction to the customer easily since for going to the Internet he have to perform a web-login thorough our portal.

Waiting for your valued response.

Abhishek

Mmmmm interesting one - I think you could try policy based NAT, something like:-

access-list customer-nat permit tcp host x.x.x.x any eq 80

access-list customer-nat permit udp host x.x.x.x any eq 53

static (inside,outside) y.y.y.y access-list customer-nat

The above ONLY allows the translation to the outside on a specific IP address from a specific inside host?

OR if you don't want to give a specific static IP:-

global (outside) 666 interface

nat (inside) 666 access-list customer-nat

Means the customer host will use the outside interface IP.

You can mix and match with the above examples....you could have multiuple customer using the same IP address - just PAT it. The there is a limit on the number of PAT sessions per NAT address.....65535!!!

Don;t think you would reach that! One more thing - you can'd do the above in any code lower than 7.x

HTH>

Actions

This Discussion