Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
28649
Views
31
Helpful
17
Replies

"NAT %Port <> is being used by system" on cisco ISR4331

mamaral
Level 1
Level 1

‎06-08-2016 03:07 AM - edited ‎03-08-2019 06:07 AM

Hi!

I'm having a problem with an ISR4331 regarding NAT.

I cannot make a static nat for port 5011 because it keeps reponding this:

%Port 5011 is being used by system

The show ip socket gives me this:

Proto Remote Port Local Port In Out Stat TTY OutputIF
17 255.255.255.255 68 192.168.1.254 67 0 0 2002211 0
17 10.16.214.7 514 192.168.1.254 64191 0 0 400210 0

And the show ip nat portblock dynamic global gives me this:

tcp:
8192 -9215 7168 -8191 6144 -7167 5120 -6143 4096 -5119
545 -617
udp:
8597 -9620 7573 -8596 6549 -7572 5525 -6548 4501 -5524
585 -648 512 -584

So, why can't i use the port 5011 ????

The ios is: 154-3.S5

Tkx

Miguel

10 people had this problem
Labels:
17 Replies 17

Mark Malone
VIP Alumni
VIP Alumni

‎06-08-2016 03:49 AM

Looks a lot like below on 4351 same type of IOS-XE software

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus49353/?referring_site=bugquickviewredir

"NAT %Port <> is being used by system" with fix CSCuc79208
CSCus49353
Description
Symptom:
A Port Forwarding rule cannot be added as the following error message is displayed:

"NAT %Port <> is being used by system"

===================================================

ls-rtr1-4351#sh ip nat portblock dynamic global
tcp:
5120 -6143 4096 -5119 3072 -4095 2048 -3071 1024 -2047

618 -681 545 -617
udp:
6549 -7572 5525 -6548 4501 -5524 3010 -4033 1986 -3009
585 -648 512 -584

cls-rtr1-4351#show ip nat portblock pat global
tcp:
9989

The above ports are dynamically allocated to NAT when more ports are needed for creating translations. So whenever the ports being requested in the the "static mapping" is not in the list above for 'sh ip nat portblock dynamic global', the configuration will be successful otherwise it will fail.
That is why it does not fail when you configure static mapping first and dynamic mapping second as the port is not already allocation for dynamic mapping.

Conditions:
ISR4351 running version 15.4(3)S1

NAT Overload had been configured before the Port Forwarding attempt.

Workaround:
Remove all nat statments and configure static nat before nat overload.

Further Problem Description:

Customer Visible
Was the description about this Bug Helpful?
(3)
Details
Last Modified:
May 5,2016
Status:
Open
Severity:
6 Enhancement
Product:
(1)
Cisco ASR 1000 Series Aggregation Services Routers
Support Cases:
28
Known Affected Releases:
(1)
15.4(3)S1.1

mamaral
Level 1
Level 1
In response to Mark Malone

‎06-08-2016 07:36 AM

I tried that workaround and it still gives me the same error.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to mamaral

‎06-08-2016 08:21 AM

Its definitely a bug as its on ASRs, 4000s and 7600s , the only other thing could recommend without going to TAC is upgrade to a safe harbour version like below images thats your best bet unless TAC have another workaround

3.13.5S(MD) or 3.16.2S(ED)

https://software.cisco.com/download/release.html?mdfid=284358776&flowid=71902&softwareid=282046477&release=3.16.2S&relind=AVAILABLE&rellifecycle=ED&reltype=latest

The version your on doesn't look to be available anymore online which can indicate there were a lot of issues found with it and Cisco took it down

0 Helpful

dslottawa
Level 1
Level 1
In response to Mark Malone

‎12-03-2016 10:34 PM

I have the same similar issue on 6500 too, on both

12.2-33.SXJ10

and

15.1-2.SYS8

ip nat inside source static udp 192.168.z.z 4500 a.b.c.d 4500 extendable
%Port 4500 is being used by system min4500

and I have removed all nat statements to try too and no go.

Is anyone aware of an image that doesn't have this issue on the 6500's ?
it makes NAT-T basically useless unless there's something I'm missing.

Tks,

0 Helpful

azwaronline
Level 1
Level 1
In response to dslottawa

‎01-17-2021 03:03 AM

Block the port 4500 or any 6500 first from being reserve for NAT overloading

 

# ip nat settings interface-overload block port tcp 4500 or 6500

 

then you can use this port in any other command. 

casanavep
Level 3
Level 3
In response to Mark Malone

‎09-18-2017 10:57 AM

Had the same issue on a ISR4331 running farely new code, 03.13.07.S/15.4(3)S7 - release long after this bug was identified.  I was able to fix via:

- remove all NAT statements

- save

- reboot

- drop in static NAT statements

- put in PAT/Overload NAT

rudepeople
Level 1
Level 1
In response to casanavep

‎08-27-2019 08:24 AM

This is an old thread, hopefully someone will spot this... I'm having this issue but it's in a colo so my working options are limited...

I assume that removing the overload statement I have will drop my connection but I really need this port translated. Is it possible to enter the nat option in config and reboot to apply it?

0 Helpful

Ahmed Mukhtar
Level 1
Level 1
In response to rudepeople

‎11-16-2019 06:18 AM

Well It was a Piece of cake to solve, Just change the local HTTPS port on the Cisco router,

(Conf)# ip http secure-port <New HTTPS Port Number for the Router>

(Conf)#ip nat inside source static tcp <Inside IP> 443 <Outside IP> 443 extendable 

 

You can do the same for HTTP as well, with the ip http port <New HTTP Port Number for the Router>

 

Rusty Gadberry
Level 1
Level 1
In response to Ahmed Mukhtar

‎11-15-2022 12:22 PM

Using your example, I took a little different approach.
(Conf)#no ip http server
(Conf)#no ip http secure-server
(Conf)#ip nat inside source static tcp (Inside IP) 443 (Outside IP) 443 extendable
Work like a top.

0 Helpful

jelloir
Level 1
Level 1
In response to casanavep

‎02-10-2020 07:44 PM

FYI, to save rebooting you can try this as an example:

Problem is if you have lots of traffic the nat translations will start again before you can remove the overload statement... so

conf t


Put relevant commands in clipboard (with a return after the overload) and paste, paste, paste like a mad person until you remove the overload statement.

do clear ip nat trans *
no ip nat inside source route-map INTERNET-NAT interface GigabitEthernet0/0/1 overload

Then at your rules again before adding the overload back.

Still an issue in 16.9.4

0 Helpful

azwaronline
Level 1
Level 1

‎01-17-2021 03:02 AM

You need to remove this port from the reserve ports for NAT overloading. 

Issue following command to block this port first

# ip nat settings interface-overload block port tcp 5011

 

Then you can use this port else where. 

jelloir
Level 1
Level 1
In response to azwaronline

‎02-15-2021 03:37 PM

Great info thanks @azwaronline works well and saves having to clear nat!

0 Helpful

DonC2
Level 1
Level 1
In response to jelloir

‎09-03-2021 08:04 AM

Hello, I get an error when trying to run this command:

 

4331(config)# ip nat settings interface-overload block port tcp 8211
                                             ^
% Invalid input detected at '^' marker.

0 Helpful

DonC2
Level 1
Level 1
In response to azwaronline

‎09-03-2021 06:58 AM

Hello, I get an error when trying to run this command:

 

4331(config)# ip nat settings interface-overload block port tcp 8211
                                             ^
% Invalid input detected at '^' marker.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card