02-26-2013 12:25 PM - edited 03-11-2019 06:06 PM
I am trying to forward both TCP and UDP ports 3074 but it looks like I can only have either TCP/3074 or UDP/3074 open one at a time. When I try to enter the UDP/3074 NAT statement, I get "ERROR: NAT unable to reserve ports" What can I do to get around this?
Thanks
object network nat-tcp-3074
host 10.1.1.120
exit
object network nat-udp-3074
host 10.1.1.120
exit
object network nat-tcp-3074
nat (inside,outside) static interface service tcp 3074 3074
object network nat-udp-3074
nat (inside,outside) static interface service udp 3074 3074
Thanks
Solved! Go to Solution.
02-26-2013 01:01 PM
Hi,
My own ASA5505 is actually at the exact same software version
I went as far as configuring the exact same NAT configurations as you and I received no warning message that you got.
Here is some of my output
ASA(config)# sh nat
Auto NAT Policies (Section 2)
1 (LAN) to (WAN) source static TCP-3074 interface service tcp 3074 3074
translate_hits = 0, untranslate_hits = 0
2 (LAN) to (WAN) source static UDP-3074 interface service udp 3074 3074
translate_hits = 0, untranslate_hits = 0
3 (LAN) to (WAN) source dynamic obj_any interface
translate_hits = 127, untranslate_hits = 22
ASA(config)# sh run nat
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (LAN,WAN) dynamic interface
object network TCP-3074
host 10.0.0.100
nat (LAN,WAN) static interface service tcp 3074 3074
object network UDP-3074
host 10.0.0.100
nat (LAN,WAN) static interface service udp 3074 3074
Wonder if you have tried to configure this several times and there is some old Xlate/Translation preventing the configuration. I simply cannot see a reason why you wouldnt be able to configure this.
Have you tried doing "clear xlate" and trying to configure it again? Notice that the mentioned command will disconnect all connections formed through the ASA at that moment.
Then again you could also try to reboot the device and see if that has any effect.
- Jouni
02-26-2013 12:34 PM
Hi,
This should not happen.
I entered the following configurations in my own ASA5505 just now
object network UDP-3074
host 10.0.0.100
nat (LAN,WAN) static interface service udp 3074 3074
object network TCP-3074
host 10.0.0.100
nat (LAN,WAN) static interface service tcp 3074 3074
And there is no problem or error messages.
Could this be caused by some other conflicting configuration?
Is it possible to see the rest of the configurations?
- Jouni
02-26-2013 12:47 PM
Here is my config. It's pretty vanilla.
ASA Version 8.4(5)
!
hostname ASA-5505
enable password xVRT/NUa2bakVc25 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa845-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network nat-tcp-3074
host 10.1.1.120
object network nat-udp-3074
host 10.1.1.120
object network nat-udp88
host 10.1.1.120
object service live-88
service udp destination eq 88
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network nat-tcp3074
nat (inside,outside) static interface service tcp 3074 3074
object network nat-udp88
nat (inside,outside) static interface service udp 88 88
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.1.10-10.1.1.41 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password UHn9xMdq6MR3CHC7 encrypted
username administrator password MwgkqWH9Yo4w54xP encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect rtsp
inspect pptp
inspect http
inspect icmp
inspect icmp error
inspect dns
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
password encryption aes
Cryptochecksum:86b1f500871c0bb50ca1347b7014bfd5
: end
02-26-2013 01:01 PM
Hi,
My own ASA5505 is actually at the exact same software version
I went as far as configuring the exact same NAT configurations as you and I received no warning message that you got.
Here is some of my output
ASA(config)# sh nat
Auto NAT Policies (Section 2)
1 (LAN) to (WAN) source static TCP-3074 interface service tcp 3074 3074
translate_hits = 0, untranslate_hits = 0
2 (LAN) to (WAN) source static UDP-3074 interface service udp 3074 3074
translate_hits = 0, untranslate_hits = 0
3 (LAN) to (WAN) source dynamic obj_any interface
translate_hits = 127, untranslate_hits = 22
ASA(config)# sh run nat
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (LAN,WAN) dynamic interface
object network TCP-3074
host 10.0.0.100
nat (LAN,WAN) static interface service tcp 3074 3074
object network UDP-3074
host 10.0.0.100
nat (LAN,WAN) static interface service udp 3074 3074
Wonder if you have tried to configure this several times and there is some old Xlate/Translation preventing the configuration. I simply cannot see a reason why you wouldnt be able to configure this.
Have you tried doing "clear xlate" and trying to configure it again? Notice that the mentioned command will disconnect all connections formed through the ASA at that moment.
Then again you could also try to reboot the device and see if that has any effect.
- Jouni
02-26-2013 01:40 PM
Thanks for the reply. I tried clear xlate and that did not work. Since you weren't having the same problem, I blew away everything on the config and started over. It's working now. Thanks.
07-29-2013 03:07 PM
sorry for necro, but I am having the exact same problem on my ASA5510 with software version asa912-k8.bin and asdm-713.bin
Is this a software bug on ASA series?
07-29-2013 03:19 PM
Hi,
I would imagine that its not a bug or it would probably be more common question here on the forums.
Can you start a new discussion about this issue and provide information like your ASA configuration (with masked public IP addresses) and what exactly happens or doesnt happen.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide