Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
5
Helpful
1
Replies

Strange NAT problem

Go to solution
bondandrey
Level 1
Level 1

‎12-23-2014 03:49 AM - edited ‎03-11-2019 10:15 PM

Hello!

I have ASA 5515, ASA version: 9.3(1), ASDM version: 7.3(1)101.

 

I try to create some port forwardings, but every time get: ERROR: NAT unable to reserve ports. 

I found out, that this somehow connected with service objects.

For example, I want to publish my RDP server:

object service rdp

    service tcp destination eq 3398

object service rdp-outside

    service tcp destination eq 3333

object network rdp-server

    host 192.168.1.2

nat (inside,outside) source static drp-server interface service rdp rdp-outside

ERROR: NAT unable to reserve ports. 

This error appears if I try to accomplish this through ASDM-gui both if I try to create NAT rule manually and through network object(Add automatic address translation rule).

The only way I can create port mapping is if I remove rdp and rdp-otside service objects and configure NAT in network object(Add automatic address translation rule).

Can someone help me?

Thanks!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-23-2014 04:14 AM

Hi,

 

The Manual NAT / Twice NAT configuration you have shown above seems to have the "service" configuration wrong.

 

The format of the command is

 

nat (sourceint,destint) source static <source real> <source mapped> service <source service real> <source service mapped>

 

And when you look at the above format you will notice that if you are doing Static PAT (Port Forward) you would need to configure the "object service" in the following way

 

object service RDP
 service tcp source eq <port>

 

And so on.

 

Now that you have "destination" there it will actually match the translation when the connection is coming from "inside" towards "outside" with the mapped destination port. So no actual Static PAT is performed.

 

If you wanted to use Auto NAT / Network Object NAT the configuration is much simpler. I personally pretty much always use this

 

object network <object name>
  host <real ip>
  nat (sourceint,destint) static <interface or actual ip> service tcp <real port> <mapped port>

 

If with either of these configurations the ASA gives the error message then make sure that the mapped port is not used in another NAT configuration. If there is no clear problem then it might be some bug. I have had this happen a couple of times and I have had to reboot the firewall.

 

Hope this helps :)

 

- Jouni

View solution in original post

1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-23-2014 04:14 AM

Hi,

 

The Manual NAT / Twice NAT configuration you have shown above seems to have the "service" configuration wrong.

 

The format of the command is

 

nat (sourceint,destint) source static <source real> <source mapped> service <source service real> <source service mapped>

 

And when you look at the above format you will notice that if you are doing Static PAT (Port Forward) you would need to configure the "object service" in the following way

 

object service RDP
 service tcp source eq <port>

 

And so on.

 

Now that you have "destination" there it will actually match the translation when the connection is coming from "inside" towards "outside" with the mapped destination port. So no actual Static PAT is performed.

 

If you wanted to use Auto NAT / Network Object NAT the configuration is much simpler. I personally pretty much always use this

 

object network <object name>
  host <real ip>
  nat (sourceint,destint) static <interface or actual ip> service tcp <real port> <mapped port>

 

If with either of these configurations the ASA gives the error message then make sure that the mapped port is not used in another NAT configuration. If there is no clear problem then it might be some bug. I have had this happen a couple of times and I have had to reboot the firewall.

 

Hope this helps :)

 

- Jouni

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card