I am from a Medium Sized Service Provider providing Internet Service via Ethernet . I am fixing a ASA5550 to do Dynamic NAT.We are having 30,000 customers under the firewall who will be Dynamically Natted to around 8000 Public IP address. The problem which I am facing is , the Firewall is automaically creating a Dynamic NAT session entry when a Client PC LAN card is just plugged in ( I mention here, just plugged in, no Internet bound traffic is generated)as a result reserving a Public IP address without for any good reason. As a result we are running the risk of depleting the Public IP pool for Customers who even doesnt want to surf the Internet but for his PC which is just switched on.
After some work arounds I have figured out that this is happening due to DNS broadcast requests coming from the Client PC, but if we stop that DNS request the client cannot surf the Internet.
So, is there any way to solve the issue ? Is there any type of condition that can be specified so that Firewall will ceate the NAT session only when DNS traffic along with the WWW traffic will come from the client ?
The above ONLY allows the translation to the outside on a specific IP address from a specific inside host?
OR if you don't want to give a specific static IP:-
global (outside) 666 interface
nat (inside) 666 access-list customer-nat
Means the customer host will use the outside interface IP.
You can mix and match with the above examples....you could have multiuple customer using the same IP address - just PAT it. The there is a limit on the number of PAT sessions per NAT address.....65535!!!
Don;t think you would reach that! One more thing - you can'd do the above in any code lower than 7.x
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...