Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2918
Views
1
Helpful
4
Replies

ISR4331 - NAT issue %Port 22 is being used by system

theitmedic
Level 1
Level 1

‎05-21-2019 09:50 AM

I'm trying to add a dynamic and a static NAT on a ISR4331 device. The dynamic works fine but when I enter in the static I get the error "%Port 22 is being used by system". I cleared the ip nat trans*, remove dynamic NAT and added the static first and still get the same error

 

Any ideas?

 

interface GigabitEthernet0/0/0
description Outside LAN Interface
ip address 192.168.98.50 255.255.255.0

 

interface GigabitEthernet0/0/1
description Inside 
ip address 192.168.1.1 255.255.255.0

 

ip nat inside source route-map NAT-DYNAMIC-RMAP interface GigabitEthernet0/0/0 overload

ip nat inside source static tcp 192.168.1.30 22 192.168.98.50 22 route-map NAT-STATIC-RMAP extendable

%Port 22 is being used by system

 

route-map NAT-STATIC-RMAP permit 1
match ip address 101
match interface GigabitEthernet0/0/0
!
route-map NAT-DYNAMIC-RMAP permit 1
match ip address 101
match interface GigabitEthernet0/0/0

 

I'm running IOS XE version isr4300-universalk9.16.09.03.SPA.bin

 

Thanks

 

GW

Labels:
0 Helpful
4 Replies 4

Mathias Garcia
Level 1
Level 1

‎05-24-2019 06:20 AM

The error is fairly self explanatory. 

The router is already using port 22 for SSH access to itself and therefore does not allow you to use it for other purposes.

You will have to use another outside port to get this working, perhaps 192.168.98.50 222 as an example. 

ip nat inside source static tcp 192.168.1.30 22 192.168.98.50 222 route-map NAT-STATIC-RMAP extendable
0 Helpful

theitmedic
Level 1
Level 1
In response to Mathias Garcia

‎05-24-2019 06:58 AM

This fixed it

action 1.0 cli command "enable"

action 2.0 cli command "conf t"

action 2.1 cli command "crypto key zeroize rsa" pattern "yes"

action 2.2 wait 5

action 2.3 cli command "yes"

action 5.3 cli command "ip nat inside source static tcp 1.1.1.1 22
80.28.132.236 22"

action 5.5 cli command "crypto key generate rsa general-keys modulus 512"

action 6.0 cli command "end"



https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo68393/?reffering_site=dum
pcr

Mathias Garcia
Level 1
Level 1
In response to theitmedic

‎05-24-2019 07:16 AM

Interesting.
I guess that as long as you're never going to connect via ssh to the outside interface of the router it's a useful workaround.
0 Helpful

Garry Cross
Level 1
Level 1
In response to theitmedic

‎09-03-2020 01:13 PM - edited ‎09-03-2020 01:13 PM

I don't like the fact the script will trigger on any link up/down event. I am doing this on an ASR 1002-HX.

Here is the config.

event manager applet NAT authorization bypass
event syslog pattern "%SPA_OIR-6-ONLINECARD:"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 2.1 cli command "crypto key zeroize rsa"
action 2.2 wait 5
action 2.3 cli command "yes"
action 5.3 cli command "ip nat inside source static tcp 172.17.0.66 22 x.x.x.x 22 extendable"
action 5.5 cli command "crypto key generate rsa general-keys modulus 2048 label myrsakey"
action 6.0 cli command "end"

 

Unfortunately  the script did not run at reload. 

This is what I found in the  show event manager history events detailed

8 8 Actv abort Thu Sep 3 14:42:31 2020 syslog applet: NAT
msg
*Sep 3 14:42:31.695: %SPA_OIR-6-ONLINECARD: SPA (BUILT-IN-EPA-8x1G) online in subslot 0/0
9 10 Actv abort Thu Sep 3 14:42:41 2020 syslog applet: NAT
msg
*Sep 3 14:42:41.020: %SPA_OIR-6-ONLINECARD: SPA (BUILT-IN-EPA-8x10G) online in subslot 0/1

 

 

 

0 Helpful
Customers Also Viewed These Support Documents