I tried that workaround and it still gives me the same error.

Its definitely a bug as its on ASRs, 4000s and 7600s , the only other thing could recommend without going to TAC is upgrade to a safe harbour version like below images thats your best bet unless TAC have another workaround

3.13.5S(MD) or 3.16.2S(ED)

https://software.cisco.com/download/release.html?mdfid=284358776&flowid=71902&softwareid=282046477&release=3.16.2S&relind=AVAILABLE&rellifecycle=ED&reltype=latest

The version your on doesn't look to be available anymore online which can indicate there were a lot of issues found with it and Cisco took it down

I have the same similar issue on 6500 too, on both

12.2-33.SXJ10

and

15.1-2.SYS8

ip nat inside source static udp 192.168.z.z 4500 a.b.c.d 4500 extendable
%Port 4500 is being used by system min4500

and I have removed all nat statements to try too and no go.

Is anyone aware of an image that doesn't have this issue on the 6500's ?
it makes NAT-T basically useless unless there's something I'm missing.

Tks,

Block the port 4500 or any 6500 first from being reserve for NAT overloading

# ip nat settings interface-overload block port tcp 4500 or 6500

then you can use this port in any other command. 

Had the same issue on a ISR4331 running farely new code, 03.13.07.S/15.4(3)S7 - release long after this bug was identified.  I was able to fix via:

- remove all NAT statements

- save

- reboot

- drop in static NAT statements

- put in PAT/Overload NAT

This is an old thread, hopefully someone will spot this... I'm having this issue but it's in a colo so my working options are limited...

I assume that removing the overload statement I have will drop my connection but I really need this port translated. Is it possible to enter the nat option in config and reboot to apply it?

Well It was a Piece of cake to solve, Just change the local HTTPS port on the Cisco router,

(Conf)# ip http secure-port <New HTTPS Port Number for the Router>

(Conf)#ip nat inside source static tcp <Inside IP> 443 <Outside IP> 443 extendable 

You can do the same for HTTP as well, with the ip http port <New HTTP Port Number for the Router>

Using your example, I took a little different approach.
(Conf)#no ip http server
(Conf)#no ip http secure-server
(Conf)#ip nat inside source static tcp (Inside IP) 443 (Outside IP) 443 extendable
Work like a top.

FYI, to save rebooting you can try this as an example:

Problem is if you have lots of traffic the nat translations will start again before you can remove the overload statement... so

conf t

Put relevant commands in clipboard (with a return after the overload) and paste, paste, paste like a mad person until you remove the overload statement.

do clear ip nat trans *
no ip nat inside source route-map INTERNET-NAT interface GigabitEthernet0/0/1 overload

Then at your rules again before adding the overload back.

Still an issue in 16.9.4

Great info thanks @azwaronline works well and saves having to clear nat!

Hello, I get an error when trying to run this command:

4331(config)# ip nat settings interface-overload block port tcp 8211
                                             ^
% Invalid input detected at '^' marker.