Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1326
Views
0
Helpful
2
Replies

Cisco 5505 ASA 8.4(4)1. Need NAT port range for sip server.

IgorKH2013
Level 1
Level 1

‎02-08-2013 03:48 AM - edited ‎03-11-2019 05:57 PM

: Saved

: Written by enable_15 at 03:51:29.049 UTC Mon Feb 4 2013

!

ASA Version 8.4(4)1

!

hostname ciscoasa

enable password xxxxx encrypted

passwd xxxxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 100

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 103

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan100

nameif outside

security-level 0

ip address dhcp

!

interface Vlan103

nameif inside

security-level 100

ip address 192.xx.xx.253 255.255.255.0

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server xx.xx.xx.250

name-server xx.xx.xx.250

object network obj_any

subnet 0.0.0.0 0.0.0.0

!

object network obj_sip

host 192.xx.xx.200

!

object service objg_sip_tcp2_4050

service tcp source eq 4050

object service objg_sip_tcp2_4054

service tcp source eq 4054

!

object service objg_sip_udp2_4003

service udp source range 4003 4005

object service objg_sip_udp2_5060

service udp source eq sip

object service objg_sip_udp2_9000

service udp source range 9000 19000

!

object-group service objg_sip_tcp tcp

port-object eq 4050

port-object eq 4054

!

object-group service objg_sip_udp udp

port-object range 4003 4005

port-object eq sip

port-object range 9000 19000

!

access-list i-to-o extended permit tcp 192.xx.xx.0 255.255.255.0 any

access-list i-to-o extended permit icmp 192.xx.xx.0 255.255.255.0 any

access-list i-to-o extended permit udp 192.xx.xx.0 255.255.255.0 any

!

access-list o-to-i extended permit tcp any object obj_sip object-group objg_sip_tcp

access-list o-to-i extended permit udp any object obj_sip object-group objg_sip_udp

!

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

nat (inside,outside) source static obj_sip interface service objg_sip_tcp2_4050 objg_sip_tcp2_4050

nat (inside,outside) source static obj_sip interface service objg_sip_tcp2_4054 objg_sip_tcp2_4054

nat (inside,outside) source static obj_sip interface service objg_sip_udp2_4003 objg_sip_udp2_4003

!

object network obj_any

nat (inside,outside) dynamic interface

!

access-group o-to-i in interface outside

access-group i-to-o in interface inside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

!

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.xx.xx.54 255.255.255.255 inside

telnet timeout 30

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username igor password 0cm30kMeT98PBJOU encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect rsh

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:ec0d658a23cfaa327a78ca2847a57c07

: end

Error: "NAT unable to  reserve ports" for

nat (inside,outside) source static obj_sip interface service objg_sip_udp2_5060 objg_sip_udp2_5060

and

nat (inside,outside) source static obj_sip interface service objg_sip_udp2_9000 objg_sip_udp2_900

why???

Labels:
0 Helpful
2 Replies 2

adrian.watmough
Level 1
Level 1

‎03-10-2013 06:08 PM

Did you ever get a fix for this?  I'm having a similar problem.

0 Helpful

jocamare
Level 4
Level 4
In response to adrian.watmough

‎03-10-2013 06:58 PM

Check "sh xlate" and "sh conn" to check if that  well known port is in use by any existing xlate/connection. If you find  it, then clear it up to fix it.

If you get this error while adding a huge  port-range like 9000-19000 then you won't get to know that exactly  which port no. is causing the issue so break the range in smaller parts.

And keep adding, when you get the error again, break it further in  smaller parts till you find out the exact port or port numbers causing  the issue and then follow the above mentioned scenarios.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card