ASA 9.12 and 9.13 nat problem! please help.

takkerZAB · ‎01-23-2020

Hello.

i have config on asa 5525-x v9.10.2 and before it. Config working fine!!! when I updated to the 9.12.2 or 9.13.1 version, an error appeared. Line 2 can not be added. "ERROR: NAT unable to reserve ports"

Why is this not working? Not working on any port 3333 or 2222 or 3389 after update.

nat (internet,dmz) source static any any destination static 1.1.1.1 10.200.5.1 service 3333 3333 no-proxy-arp
nat (inside,dmz) source static any any destination static 1.1.1.1 10.200.5.1 service 3333 3333 no-proxy-arp
"ERROR: NAT unable to reserve ports"

Full config on after "write erase"

-----------------------------

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.141.254 255.255.255.0

interface GigabitEthernet0/1
nameif internet
security-level 0
ip address 192.168.142.254 255.255.255.0

interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.143.254 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network 1.1.1.1
host 1.1.1.1

object network 10.200.5.1
host 10.200.5.1

object service 3333
service tcp destination eq 3333

nat (internet,dmz) source static any any destination static 1.1.1.1 10.200.5.1 service 3333 3333 no-proxy-arp
nat (inside,dmz) source static any any destination static 1.1.1.1 10.200.5.1 service 3333 3333 no-proxy-arp
"ERROR: NAT unable to reserve ports"

Sheraz.Salim · ‎01-23-2020

you getting the error message "ERROR: NAT unable to reserve ports" means your port are already used. try to change the port number. that will fix the issue.

please do not forget to rate.

takkerZAB · ‎01-23-2020

Hello. i have clean config (write erase) Only this 2 nat line. This problem with any port. Any!

2222,3333,1234,5432

On 9.10 this config works fine!

takkerZAB · ‎01-23-2020

Can anyone explain why it works at 9.10, but not at 9.12?

takkerZAB · ‎01-26-2020

Please, help. I need to upgrade to a new version, but nat is not working properly. How to fix the problem?

Sheraz.Salim · ‎02-01-2020

hi could you please share your configuration of firewall you can hide the real ip address i shall test in lab environment. you moving away form 9.x to 9.12?

once you provide me the configuration i shall get back to you

please do not forget to rate.

takkerZAB · ‎02-03-2020

Hello.

I test on asa 5525-x and ASAv. Same problem.

All config is default. I do "write erase". "Reload". And then enter these lines from console:

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.141.254 255.255.255.0

interface GigabitEthernet0/1
nameif internet
security-level 0
ip address 192.168.142.254 255.255.255.0

interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.143.254 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network 1.1.1.1
host 1.1.1.1

object network 10.200.5.1
host 10.200.5.1

object service 3333
service tcp destination eq 3333

nat (internet,dmz) source static any any destination static 1.1.1.1 10.200.5.1 service 3333 3333 no-proxy-arp
nat (inside,dmz) source static any any destination static 1.1.1.1 10.200.5.1 service 3333 3333 no-proxy-arp
"ERROR: NAT unable to reserve ports"

Marius Gunnerud · ‎02-05-2020

You could try using "any" interface instead of inside / internet. I would suggest to do this during a service window.

no nat (internet,dmz) source static any any destination static 1.1.1.1 10.200.5.1 service 3333 3333 no-proxy-arp

nat (any,dmz) source static any any destination static 1.1.1.1 10.200.5.1 service 3333 3333 no-proxy-arp

--
Please remember to select a correct answer and rate helpful posts

takkerZAB · ‎02-05-2020

Maybe solution: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp70833/?rfs=iqvred

takkerZAB · ‎02-18-2020

Please help. The problem is still not resolved.

Asa software 9.13(1.3), 9.12(3.4) not aviable at cisco download center

Marius Gunnerud · ‎02-18-2020

check to see if the ports are already being used:

show conn | in 3333

show asp table socket

--
Please remember to select a correct answer and rate helpful posts

ccosgb · ‎03-10-2020

Solution: asa9-12-3-7-smp-k8.bin

Revision: Version 9.12(3)7 – 03/03/2020

Files: asa9123-7-smp-k8.bin, cisco-asa-fp2k.9.12.3.7.SPA, cisco-asa.9.12.3.7.SPA.csp

Defects resolved since 9.12(3)2:

CSCvp70833

ASA/FTD: Twice nat Rule with same service displaying error "ERROR: NAT unable to reserve ports"

I’ll check this release soon.

ccosgb · ‎03-11-2020

Finally everything works! For a whole year this bug prevented me from updating the system. Glory to me and the developers, who first broke everything, then fixed it.