05-30-2019 12:43 PM
Hello.
i have config on asa 5525-x v9.10.2 and before it. Config working fine.
1) nat (internet,dmz) source static any any destination static x.x.x.x 10.200.5.1 service https https no-proxy-arp
2) nat (inside,dmz) source static any any destination static x.x.x.x 10.200.5.1 service https https no-proxy-arp
when I updated to the 9.12.1 and 9.12.2 version, an error appeared. Line 2 can not be added.
"ERROR: NAT unable to reserve ports"
Please tell me. What`s the problem in 9.12.X version ?
05-30-2019 02:13 PM
I honestly don't think it is version related.
Is the x.x.x.x the Public IP address of the firewall? If so, if ASDM is enable, you will get this error message.
Mike.
05-30-2019 10:28 PM
x.x.x.x sipmle public address from routed network. Not interface address.
05-31-2019 12:28 AM
same problem with 9.9.9.9 and 10.10.10.10
5525x(config)# nat (internet,inside) 10 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
5525x(config)# nat (internet2,inside) 11 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
ERROR: NAT unable to reserve ports.
06-03-2019 05:58 AM
There is still a problem. Please help.
06-03-2019 06:34 AM
Looking at the IP address, it seems to be that the assigned to the interface on the ASA.
The issue is, that your firewall has the port 443 enable for ASDM.
Also, look where you are pointing the destination address to the interface on the ASA.
To better assist you, please paste the configuration here.
Thanks,
Oscar
06-03-2019 07:20 AM
@Oscar Castillo wrote:Looking at the IP address, it seems to be that the assigned to the interface on the ASA.
The issue is, that your firewall has the port 443 enable for ASDM.
Also, look where you are pointing the destination address to the interface on the ASA.
To better assist you, please paste the configuration here.
Thanks,
Oscar
My test configuration:
5525x(config)# nat (internet,inside) 10 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
5525x(config)# nat (internet2,inside) 11 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
ERROR: NAT unable to reserve ports.
06-04-2019 06:45 AM
If due to security reasons you cannot share the configuration, I would suggest opening a TAC ticket, because we might need to see the entire configuration to verify where the error is.
Mike.
06-04-2019 11:58 PM
Tested on clean asa 5515-x. Same problem!
asa5515x(config)# nat (internet,inside) 1 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
asa5515x(config)# nat (internet2,inside) 2 source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
WARNING: Pool (0.0.0.0) overlap with existing pool.
ERROR: NAT unable to reserve ports.
ASA Version 9.12(2)
!
hostname asa5515x
domain-name
enable password
names
no mac-address auto
!
interface GigabitEthernet0/0
nameif internet
security-level 0
ip address 7.7.7.7 255.255.255.0
!
interface GigabitEthernet0/1
nameif internet2
security-level 0
ip address 7.7.8.7 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.7.8.7 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.10.5.235 255.255.255.0
!
boot system disk0:/asa9-12-2-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name sgb.rus
object service 3389
service tcp destination eq 3389
object-group network 9.9.9.9
network-object host 9.9.9.9
object-group network 10.10.10.10
network-object host 10.10.10.10
pager lines 24
mtu management 1500
mtu internet 1500
mtu internet2 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (internet,inside) source static any any destination static 9.9.9.9 10.10.10.10 service 3389 3389 no-proxy-arp
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 60
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
cache
disable
error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
06-04-2019 03:01 AM
Seems that ASDM 9.12.2 is completely broken, you also get error messages with ACLs, because it sends a nonexisting command:
[ERROR] access-list mode manual-commit
access-list mode manual-commit
^
ERROR: % Invalid input detected at '^' marker.
06-04-2019 06:46 AM
Hi,
Would you be able to describe the steps to reproduce this problem?
Mike.
06-04-2019 06:55 AM - edited 06-04-2019 06:57 AM
1. Open ASDM > Configuration > Firewall > Advanced > ACL Manager
2. Add new ACL
3. Add new ACE
4. When you click Apply, an error window appears.
Also applies to existing ACLs in the Access Rules section with ASDM 7.12.2 and ASA 9.8.3 or 9.12.2.
06-04-2019 07:09 AM
Awesome.
When you upgraded the Firewall version, did you also upgrade the ASDM?
What ASDM version are you using?
06-04-2019 07:40 AM - edited 06-04-2019 07:46 AM
I upgraded only ASDM.
The issue present in both versions: 9.8.3 with the existing configuration on 5516-X and 9.12.2 with a clean install on ASAv.
06-04-2019 08:21 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide