02-08-2013 03:48 AM - edited 03-11-2019 05:57 PM
: Saved
: Written by enable_15 at 03:51:29.049 UTC Mon Feb 4 2013
!
ASA Version 8.4(4)1
!
hostname ciscoasa
enable password xxxxx encrypted
passwd xxxxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 103
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan100
nameif outside
security-level 0
ip address dhcp
!
interface Vlan103
nameif inside
security-level 100
ip address 192.xx.xx.253 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server xx.xx.xx.250
name-server xx.xx.xx.250
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
object network obj_sip
host 192.xx.xx.200
!
object service objg_sip_tcp2_4050
service tcp source eq 4050
object service objg_sip_tcp2_4054
service tcp source eq 4054
!
object service objg_sip_udp2_4003
service udp source range 4003 4005
object service objg_sip_udp2_5060
service udp source eq sip
object service objg_sip_udp2_9000
service udp source range 9000 19000
!
object-group service objg_sip_tcp tcp
port-object eq 4050
port-object eq 4054
!
object-group service objg_sip_udp udp
port-object range 4003 4005
port-object eq sip
port-object range 9000 19000
!
access-list i-to-o extended permit tcp 192.xx.xx.0 255.255.255.0 any
access-list i-to-o extended permit icmp 192.xx.xx.0 255.255.255.0 any
access-list i-to-o extended permit udp 192.xx.xx.0 255.255.255.0 any
!
access-list o-to-i extended permit tcp any object obj_sip object-group objg_sip_tcp
access-list o-to-i extended permit udp any object obj_sip object-group objg_sip_udp
!
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
nat (inside,outside) source static obj_sip interface service objg_sip_tcp2_4050 objg_sip_tcp2_4050
nat (inside,outside) source static obj_sip interface service objg_sip_tcp2_4054 objg_sip_tcp2_4054
nat (inside,outside) source static obj_sip interface service objg_sip_udp2_4003 objg_sip_udp2_4003
!
object network obj_any
nat (inside,outside) dynamic interface
!
access-group o-to-i in interface outside
access-group i-to-o in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
!
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.xx.xx.54 255.255.255.255 inside
telnet timeout 30
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username igor password 0cm30kMeT98PBJOU encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ec0d658a23cfaa327a78ca2847a57c07
: end
Error: "NAT unable to reserve ports" for
nat (inside,outside) source static obj_sip interface service objg_sip_udp2_5060 objg_sip_udp2_5060
and
nat (inside,outside) source static obj_sip interface service objg_sip_udp2_9000 objg_sip_udp2_900
why???
03-10-2013 06:08 PM
Did you ever get a fix for this? I'm having a similar problem.
03-10-2013 06:58 PM
Check "sh xlate" and "sh conn" to check if that well known port is in use by any existing xlate/connection. If you find it, then clear it up to fix it.
If you get this error while adding a huge port-range like 9000-19000 then you won't get to know that exactly which port no. is causing the issue so break the range in smaller parts.
And keep adding, when you get the error again, break it further in smaller parts till you find out the exact port or port numbers causing the issue and then follow the above mentioned scenarios.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide