Thanks Jouri... I was just

burleyman · ‎09-22-2014

I have an ASA 5512 running asa915-smp-k8.bin

I enter the following commands and get this error.

FW-5512-ASA(config)# object network TCP_OWA_443
FW-5512-ASA(config-network-object)# nat (inside,outside) static interface service tcp https https
ERROR: NAT unable to reserve ports.

What would be causing this?

Here is what I tried...

removed ASDM http access from the outside....no change.

removed ASDM http access from inside....no change

Disable HTTP server.... no change

What else have I missed?

Mike

Jouni Forss · ‎09-22-2014

Hi,

Are you using SSL VPN on the ASA?

You can use the following command to list some configuration related to it

show run webvpn

Under the shown configurations you could change the used port for those VPN connections though it would naturally have an effect on your users in the sense that they could not use the default HTTPS port of TCP/443.

If you are not using SSL VPN then I would guess this might be a bug. I did have a situation on my ASA5505 that prevented from doing Static PAT for a certain port suddenly with the same error message but a reboot/reload helped in that case.

You can also use the following command to see if the ASA is using the mentioned port still for some reason

show asp table socket

- Jouni

burleyman · ‎09-22-2014

Thanks Jouri...

I was just going to post here that I kept troubleshooting and with the help of a co-worker I discovered two things.

One I had to change

http server enable

to

http server enable 4433

or any other port you would like because I have access from outside

and the webvpn I just disabled and then added the lines

object network TCP_OWA_443
nat (inside,outside) static interface service tcp https https

and then re-enabled webvpn

and it worked.

Mike

NAT error "Unable to reserve ports"