cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1847
Views
0
Helpful
6
Replies
joshhaleaos
Beginner

Port Forward - ASA 5505

I am trying to forward both TCP and UDP ports 3074 but it looks like I can only have either TCP/3074 or UDP/3074 open one at a time.  When I try to enter the UDP/3074 NAT statement, I get "ERROR: NAT unable to reserve ports"   What can I do to get around this?

Thanks

object network nat-tcp-3074

host 10.1.1.120

exit

object network nat-udp-3074

host 10.1.1.120

exit

object network nat-tcp-3074

nat (inside,outside) static interface service tcp 3074 3074

object network nat-udp-3074

nat (inside,outside) static interface service udp 3074 3074

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

My own ASA5505 is actually at the exact same software version

I went as far as configuring the exact same NAT configurations as you and I received no warning message that you got.

Here is some of my output

ASA(config)# sh nat

Auto NAT Policies (Section 2)

1 (LAN) to (WAN) source static TCP-3074 interface   service tcp 3074 3074

    translate_hits = 0, untranslate_hits = 0

2 (LAN) to (WAN) source static UDP-3074 interface   service udp 3074 3074

    translate_hits = 0, untranslate_hits = 0

3 (LAN) to (WAN) source dynamic obj_any interface

    translate_hits = 127, untranslate_hits = 22

ASA(config)# sh run nat

  • host/subnet lines edited into the below output

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (LAN,WAN) dynamic interface

object network TCP-3074

host 10.0.0.100

nat (LAN,WAN) static interface service tcp 3074 3074

object network UDP-3074

host 10.0.0.100

nat (LAN,WAN) static interface service udp 3074 3074

Wonder if you have tried to configure this several times and there is some old Xlate/Translation preventing the configuration. I simply cannot see a reason why you wouldnt be able to configure this.

Have you tried doing "clear xlate" and trying to configure it again? Notice that the mentioned command will disconnect all connections formed through the ASA at that moment.

Then again you could also try to reboot the device and see if that has any effect.

- Jouni

View solution in original post

6 REPLIES 6
Jouni Forss
Mentor

Hi,

This should not happen.

I entered the following configurations in my own ASA5505 just now

object network UDP-3074

host 10.0.0.100

nat (LAN,WAN) static interface service udp 3074 3074

object network TCP-3074

host 10.0.0.100

nat (LAN,WAN) static interface service tcp 3074 3074

And there is no problem or error messages.

Could this be caused by some other conflicting configuration?

Is it possible to see the rest of the configurations?

- Jouni

Here is my config.  It's pretty vanilla. 

ASA Version 8.4(5)

!

hostname ASA-5505

enable password xVRT/NUa2bakVc25 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa845-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network nat-tcp-3074

host 10.1.1.120

object network nat-udp-3074

host 10.1.1.120

object network nat-udp88

host 10.1.1.120

object service live-88

service udp destination eq 88

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

object network nat-tcp3074

nat (inside,outside) static interface service tcp 3074 3074

object network nat-udp88

nat (inside,outside) static interface service udp 88 88

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.1.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.1.1.10-10.1.1.41 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password UHn9xMdq6MR3CHC7 encrypted

username administrator password MwgkqWH9Yo4w54xP encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect rtsp

  inspect pptp

  inspect http

  inspect icmp

  inspect icmp error

  inspect dns

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

password encryption aes

Cryptochecksum:86b1f500871c0bb50ca1347b7014bfd5

: end

Hi,

My own ASA5505 is actually at the exact same software version

I went as far as configuring the exact same NAT configurations as you and I received no warning message that you got.

Here is some of my output

ASA(config)# sh nat

Auto NAT Policies (Section 2)

1 (LAN) to (WAN) source static TCP-3074 interface   service tcp 3074 3074

    translate_hits = 0, untranslate_hits = 0

2 (LAN) to (WAN) source static UDP-3074 interface   service udp 3074 3074

    translate_hits = 0, untranslate_hits = 0

3 (LAN) to (WAN) source dynamic obj_any interface

    translate_hits = 127, untranslate_hits = 22

ASA(config)# sh run nat

  • host/subnet lines edited into the below output

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (LAN,WAN) dynamic interface

object network TCP-3074

host 10.0.0.100

nat (LAN,WAN) static interface service tcp 3074 3074

object network UDP-3074

host 10.0.0.100

nat (LAN,WAN) static interface service udp 3074 3074

Wonder if you have tried to configure this several times and there is some old Xlate/Translation preventing the configuration. I simply cannot see a reason why you wouldnt be able to configure this.

Have you tried doing "clear xlate" and trying to configure it again? Notice that the mentioned command will disconnect all connections formed through the ASA at that moment.

Then again you could also try to reboot the device and see if that has any effect.

- Jouni

View solution in original post

Thanks for the reply.  I tried clear xlate and that did not work.  Since you weren't having the same problem, I blew away everything on the config and started over.  It's working now.  Thanks.

heiki saaver
Beginner

sorry for necro, but I am having the exact same problem on my ASA5510 with software version asa912-k8.bin and asdm-713.bin

Is this a software bug on ASA series?

Hi,

I would imagine that its not a bug or it would probably be more common question here on the forums.

Can you start a new discussion about this issue and provide information like your ASA configuration (with masked public IP addresses) and what exactly happens or doesnt happen.

- Jouni

Content for Community-Ad