https://community.cisco.com/t5/network-security/strange-nat-problem/m-p/2566358#M201938 <P>Hi,</P><P>&nbsp;</P><P>The Manual NAT / Twice NAT configuration you have shown above seems to have the <STRONG>"service" </STRONG>configuration wrong.</P><P>&nbsp;</P><P>The format of the command is</P><P>&nbsp;</P><P><STRONG>nat (sourceint,destint) source static &lt;source real&gt; &lt;source mapped&gt; service &lt;source service real&gt; &lt;source service mapped&gt;</STRONG></P><P>&nbsp;</P><P>And when you look at the above format you will notice that if you are doing Static PAT (Port Forward) you would need to configure the <STRONG>"object service"</STRONG> in the following way</P><P>&nbsp;</P><P><STRONG>object service RDP<BR />&nbsp;service tcp source eq &lt;port&gt;</STRONG></P><P>&nbsp;</P><P>And so on.</P><P>&nbsp;</P><P>Now that you have <STRONG>"destination"</STRONG> there it will actually match the translation when the connection is coming from<STRONG> "inside"</STRONG> towards <STRONG>"outside"</STRONG> with the mapped destination port. So no actual Static PAT is performed.</P><P>&nbsp;</P><P>If you wanted to use Auto NAT / Network Object NAT the configuration is much simpler. I personally pretty much always use this</P><P>&nbsp;</P><P><STRONG>object network &lt;object name&gt;<BR />&nbsp; host &lt;real ip&gt;<BR />&nbsp; nat (sourceint,destint) static &lt;interface or actual ip&gt; service tcp &lt;real port&gt; &lt;mapped port&gt;</STRONG></P><P>&nbsp;</P><P>If with either of these configurations the ASA gives the error message then make sure that the mapped port is not used in another NAT configuration. If there is no clear problem then it might be some bug. I have had this happen a couple of times and I have had to reboot the firewall.</P><P>&nbsp;</P><P>Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>- Jouni</P> Tue, 23 Dec 2014 12:14:15 GMT Jouni Forss 2014-12-23T12:14:15Z https://community.cisco.com/t5/network-security/strange-nat-problem/m-p/2566357#M201937 <P>Hello!</P><P>I have ASA 5515, ASA version: 9.3(1), ASDM version: 7.3(1)101.</P><P>&nbsp;</P><P>I try to create some port forwardings,&nbsp;but every time get:&nbsp;ERROR: NAT unable to reserve ports.&nbsp;</P><P>I found out, that this somehow connected with service objects.</P><P>For example, I want to publish my RDP server:</P><P>object service rdp</P><P style="font-size: 14px;">&nbsp;&nbsp;&nbsp; service tcp destination eq 3398</P><P style="font-size: 14px;">object service rdp-outside</P><P style="font-size: 14px;">&nbsp;&nbsp;&nbsp; service tcp destination eq 3333</P><P style="font-size: 14px;">object network rdp-server</P><P style="font-size: 14px;">&nbsp;&nbsp;&nbsp; host 192.168.1.2</P><P style="font-size: 14px;">nat (inside,outside) source static drp-server interface service rdp <SPAN style="font-size: 14px;">rdp-outside</SPAN></P><P style="font-size: 14px;">ERROR: NAT unable to reserve ports.&nbsp;</P><P style="font-size: 14px;">This error appears if I try to accomplish this through ASDM-gui both if I try to create NAT rule manually and through network object<SPAN style="font-size: 14px;">(Add automatic address translation rule)</SPAN>.</P><P style="font-size: 14px;">The only way I can create port mapping is if I remove rdp and rdp-otside service objects and configure NAT in&nbsp;<SPAN style="font-size: 14px;">network object(Add automatic address translation rule).</SPAN></P><P style="font-size: 14px;">Can someone help me?</P><P style="font-size: 14px;">Thanks!</P><P style="font-size: 14px;">&nbsp;</P> Tue, 12 Mar 2019 05:15:27 GMT https://community.cisco.com/t5/network-security/strange-nat-problem/m-p/2566357#M201937 bondandrey 2019-03-12T05:15:27Z https://community.cisco.com/t5/network-security/strange-nat-problem/m-p/2566358#M201938 <P>Hi,</P><P>&nbsp;</P><P>The Manual NAT / Twice NAT configuration you have shown above seems to have the <STRONG>"service" </STRONG>configuration wrong.</P><P>&nbsp;</P><P>The format of the command is</P><P>&nbsp;</P><P><STRONG>nat (sourceint,destint) source static &lt;source real&gt; &lt;source mapped&gt; service &lt;source service real&gt; &lt;source service mapped&gt;</STRONG></P><P>&nbsp;</P><P>And when you look at the above format you will notice that if you are doing Static PAT (Port Forward) you would need to configure the <STRONG>"object service"</STRONG> in the following way</P><P>&nbsp;</P><P><STRONG>object service RDP<BR />&nbsp;service tcp source eq &lt;port&gt;</STRONG></P><P>&nbsp;</P><P>And so on.</P><P>&nbsp;</P><P>Now that you have <STRONG>"destination"</STRONG> there it will actually match the translation when the connection is coming from<STRONG> "inside"</STRONG> towards <STRONG>"outside"</STRONG> with the mapped destination port. So no actual Static PAT is performed.</P><P>&nbsp;</P><P>If you wanted to use Auto NAT / Network Object NAT the configuration is much simpler. I personally pretty much always use this</P><P>&nbsp;</P><P><STRONG>object network &lt;object name&gt;<BR />&nbsp; host &lt;real ip&gt;<BR />&nbsp; nat (sourceint,destint) static &lt;interface or actual ip&gt; service tcp &lt;real port&gt; &lt;mapped port&gt;</STRONG></P><P>&nbsp;</P><P>If with either of these configurations the ASA gives the error message then make sure that the mapped port is not used in another NAT configuration. If there is no clear problem then it might be some bug. I have had this happen a couple of times and I have had to reboot the firewall.</P><P>&nbsp;</P><P>Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>- Jouni</P> Tue, 23 Dec 2014 12:14:15 GMT https://community.cisco.com/t5/network-security/strange-nat-problem/m-p/2566358#M201938 Jouni Forss 2014-12-23T12:14:15Z