cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6592
Views
10
Helpful
20
Replies

ASA v9.12.x nat problem

takkerZAB
Level 1
Level 1

Hello.

i have config on asa 5525-x v9.10.2 and before it. Config working fine.

1) nat (internet,dmz) source static any any destination static x.x.x.x 10.200.5.1 service https https no-proxy-arp
2) nat (inside,dmz) source static any any destination static x.x.x.x 10.200.5.1 service https https no-proxy-arp


when I updated to the 9.12.1 and 9.12.2 version, an error appeared. Line 2 can not be added.
"ERROR: NAT unable to reserve ports"

Please tell me. What`s the problem in 9.12.X version ?

20 Replies 20

Maykol Rojas
Cisco Employee
Cisco Employee

I honestly don't think it is version related. 

Is  the x.x.x.x the Public IP address of the firewall? If so, if ASDM is enable, you will get this error message. 

 

Mike. 

 

Mike

x.x.x.x sipmle public address from routed network. Not interface address.

takkerZAB
Level 1
Level 1

same problem with 9.9.9.9 and 10.10.10.10

 

5525x(config)# nat (internet,inside) 10 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
5525x(config)# nat (internet2,inside) 11 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
ERROR: NAT unable to reserve ports.

There is still a problem. Please help.

Looking at the IP address, it seems to be that the assigned to the interface on the ASA.

The issue is, that your firewall has the port 443 enable for ASDM. 

 

Also, look where you are pointing the destination address to the interface on the ASA.

 

To better assist you, please paste the configuration here.

 

 

Thanks,

Oscar


@Oscar Castillo wrote:

Looking at the IP address, it seems to be that the assigned to the interface on the ASA.

The issue is, that your firewall has the port 443 enable for ASDM. 

 

Also, look where you are pointing the destination address to the interface on the ASA.

 

To better assist you, please paste the configuration here.

 

 

Thanks,

Oscar


My test configuration:

 

5525x(config)# nat (internet,inside) 10 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
5525x(config)# nat (internet2,inside) 11 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
ERROR: NAT unable to reserve ports.

If due to security reasons you cannot share the configuration, I would suggest opening a TAC ticket, because we might need to see the entire configuration to verify where the error is. 

 

Mike. 

Mike

Tested on clean asa 5515-x. Same problem!

 

asa5515x(config)# nat (internet,inside) 1 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
asa5515x(config)# nat (internet2,inside) 2 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
ERROR: NAT unable to reserve ports.

 


ASA Version 9.12(2)
!
hostname asa5515x
domain-name 
enable password 
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif internet
security-level 0
ip address 7.7.7.7 255.255.255.0
!
interface GigabitEthernet0/1
nameif internet2
security-level 0
ip address 7.7.8.7 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.7.8.7 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.10.5.235 255.255.255.0
!
boot system disk0:/asa9-12-2-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name sgb.rus
object service 3389
service tcp destination eq 3389
object-group network 9.9.9.9
network-object host 9.9.9.9
object-group network 10.10.10.10
network-object host 10.10.10.10
pager lines 24
mtu management 1500
mtu internet 1500
mtu internet2 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (internet,inside) source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 60
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
cache
disable
error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

 

 

navion
Level 1
Level 1

Seems that ASDM 9.12.2 is completely broken, you also get error messages with ACLs, because it sends a nonexisting command:

[ERROR] access-list mode manual-commit
access-list mode manual-commit
^
ERROR: % Invalid input detected at '^' marker.

Hi, 

 

Would you be able to describe the steps to reproduce this problem? 

Mike. 

Mike

1. Open ASDM > Configuration > Firewall > Advanced > ACL Manager
2. Add new ACL
3. Add new ACE
4. When you click Apply, an error window appears.

Also applies to existing ACLs in the Access Rules section with ASDM 7.12.2 and ASA 9.8.3 or 9.12.2.

Awesome. 

When you upgraded the Firewall version, did you also upgrade the ASDM?

What ASDM version are you using? 

 

Mike

I upgraded only ASDM.
The issue present in both versions: 9.8.3 with the existing configuration on 5516-X and 9.12.2 with a clean install on ASAv.

What version of ASDM are you running?
Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: