12-23-2014 03:49 AM - edited 03-11-2019 10:15 PM
Hello!
I have ASA 5515, ASA version: 9.3(1), ASDM version: 7.3(1)101.
I try to create some port forwardings, but every time get: ERROR: NAT unable to reserve ports.
I found out, that this somehow connected with service objects.
For example, I want to publish my RDP server:
object service rdp
service tcp destination eq 3398
object service rdp-outside
service tcp destination eq 3333
object network rdp-server
host 192.168.1.2
nat (inside,outside) source static drp-server interface service rdp rdp-outside
ERROR: NAT unable to reserve ports.
This error appears if I try to accomplish this through ASDM-gui both if I try to create NAT rule manually and through network object(Add automatic address translation rule).
The only way I can create port mapping is if I remove rdp and rdp-otside service objects and configure NAT in network object(Add automatic address translation rule).
Can someone help me?
Thanks!
Solved! Go to Solution.
12-23-2014 04:14 AM
Hi,
The Manual NAT / Twice NAT configuration you have shown above seems to have the "service" configuration wrong.
The format of the command is
nat (sourceint,destint) source static <source real> <source mapped> service <source service real> <source service mapped>
And when you look at the above format you will notice that if you are doing Static PAT (Port Forward) you would need to configure the "object service" in the following way
object service RDP
service tcp source eq <port>
And so on.
Now that you have "destination" there it will actually match the translation when the connection is coming from "inside" towards "outside" with the mapped destination port. So no actual Static PAT is performed.
If you wanted to use Auto NAT / Network Object NAT the configuration is much simpler. I personally pretty much always use this
object network <object name>
host <real ip>
nat (sourceint,destint) static <interface or actual ip> service tcp <real port> <mapped port>
If with either of these configurations the ASA gives the error message then make sure that the mapped port is not used in another NAT configuration. If there is no clear problem then it might be some bug. I have had this happen a couple of times and I have had to reboot the firewall.
Hope this helps :)
- Jouni
12-23-2014 04:14 AM
Hi,
The Manual NAT / Twice NAT configuration you have shown above seems to have the "service" configuration wrong.
The format of the command is
nat (sourceint,destint) source static <source real> <source mapped> service <source service real> <source service mapped>
And when you look at the above format you will notice that if you are doing Static PAT (Port Forward) you would need to configure the "object service" in the following way
object service RDP
service tcp source eq <port>
And so on.
Now that you have "destination" there it will actually match the translation when the connection is coming from "inside" towards "outside" with the mapped destination port. So no actual Static PAT is performed.
If you wanted to use Auto NAT / Network Object NAT the configuration is much simpler. I personally pretty much always use this
object network <object name>
host <real ip>
nat (sourceint,destint) static <interface or actual ip> service tcp <real port> <mapped port>
If with either of these configurations the ASA gives the error message then make sure that the mapped port is not used in another NAT configuration. If there is no clear problem then it might be some bug. I have had this happen a couple of times and I have had to reboot the firewall.
Hope this helps :)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide