cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4422
Views
0
Helpful
6
Replies

Problem with "ERROR: NAT unable to reserve ports."

Cormac Champion
Level 1
Level 1

Hi all,

 

I'm trying to get remote access through my 5505 (Security Plus Licence) to my inside Server, and so I have tried to apply the following

nat (inside,outside) source static obj-WebServer interface service any REMOTE-HTTPS

but as per the subject, I keep getting the message "ERROR: NAT unable to reserve ports."

 

I have successfully applied the same rule two other ports - for REMOTE-RDP and REMOTE-8090.  ADSM is configured to run on a port 50443 - so I cannot understand as to why I cannot apply the required config.

 

SPIRIT-FW1# sh xlate
9 in use, 18 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from inside:10.10.5.100 0 to outside:192.168.1.17 3389-3389
flags srT idle 1:00:46 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 1:00:46 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 1:00:46 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside_2:0.0.0.0/0
flags sIT idle 1:00:46 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside_3:0.0.0.0/0
flags sIT idle 1:00:46 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside_4:0.0.0.0/0
flags sIT idle 1:00:46 timeout 0:00:00
TCP PAT from outside:10.10.5.100 0 to inside:192.168.1.17 8090-8090
flags srT idle 1:00:46 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 1:00:46 timeout 0:00:00
UDP PAT from outside:147.156.7.18 123-123 to inside:0.0.0.0/0 123-123
flags srT idle 0:36:14 timeout 0:00:00
 

I would be very grateful for any help or assistance

1 Accepted Solution

Accepted Solutions

Hi,
I imagine you have got Webvpn/SSL-VPN enabled on the ASA? Run "show webvpn" to confirm if webvpn is enabled and listening on tcp/443 on the outside interface. If you run the command "show asp table socket" it will also confirm if the port is already in use.

If you aren't using webvpn, then use the command "no webvpn" to disable.

HTH

View solution in original post

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

what is the definition of - REMOTE-HTTPS? 443 ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

object service REMOTE-HTTPS
service tcp source eq https

Hi,
I imagine you have got Webvpn/SSL-VPN enabled on the ASA? Run "show webvpn" to confirm if webvpn is enabled and listening on tcp/443 on the outside interface. If you run the command "show asp table socket" it will also confirm if the port is already in use.

If you aren't using webvpn, then use the command "no webvpn" to disable.

HTH

Many thanks for that - that was it exactly.  After removing the webvpn command, it just needed a reboot.  The "sh asp table socket" command confirmed everything.

 

One more thing - is there a tutorial anywhere I can follow, or can you give me an example for how to configure an inbound connection with port translation.  Suppose I wanted to setup Remote Access to HOST_B using an original destination port 8080 translating to the inside HOST_B on port 80.

 

And what about configuring Remote SSH Access to the FW itself, using an original destination port of say 50022 translating to port 22 on the FW

Hi,

Here is an NAT example. In this example traffic destined to the IP address of the outside interface on port 8080 is the natted to the real (private) IP address of HOST_B on port 80. The ACL references the real port 80 and not the natted IP address. Just change the host IP address and the ACL name.

object network HOST_B
host 192.168.10.5
nat (INSIDE,OUTSIDE) static interface service tcp 80 8080

access-list OUTSIDE_IN extended permit tcp any object HOST_B eq 80

I dont think you can NAT traffic destined to the ASA itself, nor do not think it's possible it actually change the port from 22 to something else.

 

HTH

I'm trying to get a Port Translation to work - port 52722 on the outside to port 22 on the inside server.

 

However, I'm getting a Subtype rpf-check DROP

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: