Unable to Port Forward UDP 4500 through Cisco ASA

thomaswayne6 · ‎01-22-2019

Hello,

I have a situation where I need to configure port forwarding for traffic originating from a specific IP address on the Internet and is then destined for a specific IP address located within our inside network (RFC 1918) on UDP4500. We only have a single public IP address available that's assigned to the outside interface of the Cisco ASA 5525-x, which I'm pretty sure rules out using static NAT. We are not using this ASA for any remote-access / site-to-site VPN.

The issue is that whenever I configure the following commands, I receive the following error: "ERROR: NAT unable to reserve ports"

object network Inside_Host

host x.x.x.x

nat (inside,outside) static interface service udp 4500 4500

Please let me know if any further information is required. I'm starting to think that an additional public IP address will have to be allocated in order to just use static NAT instead of port forwarding. Any ideas why this error would be popping up?

Sheraz.Salim · ‎01-22-2019

the ASA is unable to reserve the ports, because port 4500 is already in use by either anyconnect etc if you have it enabled or for your vpn connections, for that reason the firewall is unable to assign port 4500 to your host.

You can however change the mapping port for external connections to another port, 45000 for example.

object network host
host X.X.X.X
nat (inside,outside) static interface service UDP 4500 45000

Please note that when the packet arrives to the ASA he will translate port 45000 to 4500, which is the port that your internal host is listening to.

please do not forget to rate.