Showing results for 
Search instead for 
Did you mean: 

"NAT %Port <> is being used by system" on cisco ISR4331

Level 1
Level 1


I'm having a problem with an ISR4331 regarding NAT.

I cannot make a static nat for port 5011 because it keeps reponding this:

%Port 5011 is being used by system

The show ip socket gives me this:

Proto Remote Port Local Port In Out Stat TTY OutputIF
17 68 67 0 0 2002211 0
17 514 64191 0 0 400210 0

And the show ip nat portblock dynamic global gives me this:

8192 -9215 7168 -8191 6144 -7167 5120 -6143 4096 -5119
545 -617
8597 -9620 7573 -8596 6549 -7572 5525 -6548 4501 -5524
585 -648 512 -584

So, why can't i use the port 5011 ????

The ios is: 154-3.S5



17 Replies 17

Mark Malone
VIP Alumni
VIP Alumni

Looks a lot like below on 4351 same type of IOS-XE software

"NAT %Port <> is being used by system" with fix CSCuc79208
A Port Forwarding rule cannot be added as the following error message is displayed:

"NAT %Port <> is being used by system"


ls-rtr1-4351#sh ip nat portblock dynamic global
5120 -6143 4096 -5119 3072 -4095 2048 -3071 1024 -2047

618 -681 545 -617
6549 -7572 5525 -6548 4501 -5524 3010 -4033 1986 -3009
585 -648 512 -584

cls-rtr1-4351#show ip nat portblock pat global

The above ports are dynamically allocated to NAT when more ports are needed for creating translations. So whenever the ports being requested in the the "static mapping" is not in the list above for 'sh ip nat portblock dynamic global', the configuration will be successful otherwise it will fail.
That is why it does not fail when you configure static mapping first and dynamic mapping second as the port is not already allocation for dynamic mapping.

ISR4351 running version 15.4(3)S1

NAT Overload had been configured before the Port Forwarding attempt.

Remove all nat statments and configure static nat before nat overload.

Further Problem Description:

Customer Visible
Was the description about this Bug Helpful?
Last Modified:
May 5,2016
6 Enhancement
Cisco ASR 1000 Series Aggregation Services Routers
Support Cases:
Known Affected Releases:

I tried that workaround and it still gives me the same error.

Its definitely a bug as its on ASRs, 4000s and 7600s , the only other thing could recommend without going to TAC is upgrade to a safe harbour version like below images thats your best bet unless TAC have another workaround

3.13.5S(MD) or 3.16.2S(ED)

The version your on doesn't look to be available anymore online which can indicate there were a lot of issues found with it and Cisco took it down

I have the same similar issue on 6500 too, on both




ip nat inside source static udp 192.168.z.z 4500 a.b.c.d 4500 extendable
%Port 4500 is being used by system min4500

and I have removed all nat statements to try too and no go.

Is anyone aware of an image that doesn't have this issue on the 6500's ?
it makes NAT-T basically useless unless there's something I'm missing.


Block the port 4500 or any 6500 first from being reserve for NAT overloading


# ip nat settings interface-overload block port tcp 4500 or 6500


then you can use this port in any other command. 

Had the same issue on a ISR4331 running farely new code, 03.13.07.S/15.4(3)S7 - release long after this bug was identified.  I was able to fix via:

- remove all NAT statements

- save

- reboot

- drop in static NAT statements

- put in PAT/Overload NAT

This is an old thread, hopefully someone will spot this... I'm having this issue but it's in a colo so my working options are limited...

I assume that removing the overload statement I have will drop my connection but I really need this port translated. Is it possible to enter the nat option in config and reboot to apply it?

Well It was a Piece of cake to solve, Just change the local HTTPS port on the Cisco router,

(Conf)# ip http secure-port <New HTTPS Port Number for the Router>

(Conf)#ip nat inside source static tcp <Inside IP> 443 <Outside IP> 443 extendable 


You can do the same for HTTP as well, with the ip http port <New HTTP Port Number for the Router>


Using your example, I took a little different approach.
(Conf)#no ip http server
(Conf)#no ip http secure-server
(Conf)#ip nat inside source static tcp (Inside IP) 443 (Outside IP) 443 extendable
Work like a top.

FYI, to save rebooting you can try this as an example:

Problem is if you have lots of traffic the nat translations will start again before you can remove the overload statement... so

conf t

Put relevant commands in clipboard (with a return after the overload) and paste, paste, paste like a mad person until you remove the overload statement.

do clear ip nat trans *
no ip nat inside source route-map INTERNET-NAT interface GigabitEthernet0/0/1 overload

Then at your rules again before adding the overload back.

Still an issue in 16.9.4

Level 1
Level 1

You need to remove this port from the reserve ports for NAT overloading. 

Issue following command to block this port first

# ip nat settings interface-overload block port tcp 5011


Then you can use this port else where. 

Great info thanks @azwaronline works well and saves having to clear nat!

Hello, I get an error when trying to run this command:


4331(config)# ip nat settings interface-overload block port tcp 8211
% Invalid input detected at '^' marker.

Hello, I get an error when trying to run this command:


4331(config)# ip nat settings interface-overload block port tcp 8211
% Invalid input detected at '^' marker.

Review Cisco Networking for a $25 gift card