NAT error "Unable to reserve ports"

Unanswered Question
Sep 22nd, 2014
User Badges:
  • Blue, 1500 points or more

I have an ASA 5512 running asa915-smp-k8.bin

 I enter the following commands and get this error.

FW-5512-ASA(config)# object network TCP_OWA_443
FW-5512-ASA(config-network-object)# nat (inside,outside) static interface service tcp https https
ERROR: NAT unable to reserve ports.

What would be causing this?

Here is what I tried...

removed ASDM http access from the change.

removed ASDM http access from change

Disable HTTP server.... no change


What else have I missed?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jouni Forss Mon, 09/22/2014 - 11:11
User Badges:
  • Super Bronze, 10000 points or more



Are you using SSL VPN on the ASA?

You can use the following command to list some configuration related to it


show run webvpn

Under the shown configurations you could change the used port for those VPN connections though it would naturally have an effect on your users in the sense that they could not use the default HTTPS port of TCP/443.


If you are not using SSL VPN then I would guess this might be a bug. I did have a situation on my ASA5505 that prevented from doing Static PAT for a certain port suddenly with the same error message but a reboot/reload helped in that case.


You can also use the following command to see if the ASA is using the mentioned port still for some reason


show asp table socket


- Jouni

burleyman Mon, 09/22/2014 - 12:16
User Badges:
  • Blue, 1500 points or more

Thanks Jouri...


I was just going to post here that I kept troubleshooting and with the help of a co-worker I discovered two things.

One I had to change

http server enable


http server enable 4433

or any other port you would like because I have access from outside


and the webvpn I just disabled and then added the lines

object network TCP_OWA_443
 nat (inside,outside) static interface service tcp https https


and then re-enabled webvpn


and it worked.




This Discussion