I'm having a problem with an ISR4331 regarding NAT.
I cannot make a static nat for port 5011 because it keeps reponding this:
%Port 5011 is being used by system
The show ip socket gives me this:
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 255.255.255.255 68 192.168.1.254 67 0 0 2002211 0
17 10.16.214.7 514 192.168.1.254 64191 0 0 400210 0
And the show ip nat portblock dynamic global gives me this:
8192 -9215 7168 -8191 6144 -7167 5120 -6143 4096 -5119
8597 -9620 7573 -8596 6549 -7572 5525 -6548 4501 -5524
585 -648 512 -584
So, why can't i use the port 5011 ????
The ios is: 154-3.S5
Looks a lot like below on 4351 same type of IOS-XE software
|Known Affected Releases:||
|Known Fixed Releases:||
Its definitely a bug as its on ASRs, 4000s and 7600s , the only other thing could recommend without going to TAC is upgrade to a safe harbour version like below images thats your best bet unless TAC have another workaround
The version your on doesn't look to be available anymore online which can indicate there were a lot of issues found with it and Cisco took it down
I have the same similar issue on 6500 too, on both
ip nat inside source static udp 192.168.z.z 4500 a.b.c.d 4500 extendable
%Port 4500 is being used by system min4500
and I have removed all nat statements to try too and no go.
Is anyone aware of an image that doesn't have this issue on the 6500's ?
it makes NAT-T basically useless unless there's something I'm missing.
Had the same issue on a ISR4331 running farely new code, 03.13.07.S/15.4(3)S7 - release long after this bug was identified. I was able to fix via:
- remove all NAT statements
- drop in static NAT statements
- put in PAT/Overload NAT
This is an old thread, hopefully someone will spot this... I'm having this issue but it's in a colo so my working options are limited...
I assume that removing the overload statement I have will drop my connection but I really need this port translated. Is it possible to enter the nat option in config and reboot to apply it?
Well It was a Piece of cake to solve, Just change the local HTTPS port on the Cisco router,
(Conf)# ip http secure-port <New HTTPS Port Number for the Router>
(Conf)#ip nat inside source static tcp <Inside IP> 443 <Outside IP> 443 extendable
You can do the same for HTTP as well, with the ip http port <New HTTP Port Number for the Router>
FYI, to save rebooting you can try this as an example:
Problem is if you have lots of traffic the nat translations will start again before you can remove the overload statement... so
Put relevant commands in clipboard (with a return after the overload) and paste, paste, paste like a mad person until you remove the overload statement.
do clear ip nat trans * no ip nat inside source route-map INTERNET-NAT interface GigabitEthernet0/0/1 overload
Then at your rules again before adding the overload back.
Still an issue in 16.9.4