09-22-2014 08:21 AM - edited 03-11-2019 09:48 PM
I have an ASA 5512 running asa915-smp-k8.bin
I enter the following commands and get this error.
FW-5512-ASA(config)# object network TCP_OWA_443
FW-5512-ASA(config-network-object)# nat (inside,outside) static interface service tcp https https
ERROR: NAT unable to reserve ports.
What would be causing this?
Here is what I tried...
removed ASDM http access from the outside....no change.
removed ASDM http access from inside....no change
Disable HTTP server.... no change
What else have I missed?
Mike
09-22-2014 11:11 AM
Hi,
Are you using SSL VPN on the ASA?
You can use the following command to list some configuration related to it
show run webvpn
Under the shown configurations you could change the used port for those VPN connections though it would naturally have an effect on your users in the sense that they could not use the default HTTPS port of TCP/443.
If you are not using SSL VPN then I would guess this might be a bug. I did have a situation on my ASA5505 that prevented from doing Static PAT for a certain port suddenly with the same error message but a reboot/reload helped in that case.
You can also use the following command to see if the ASA is using the mentioned port still for some reason
show asp table socket
- Jouni
09-22-2014 12:16 PM
Thanks Jouri...
I was just going to post here that I kept troubleshooting and with the help of a co-worker I discovered two things.
One I had to change
http server enable
to
http server enable 4433
or any other port you would like because I have access from outside
and the webvpn I just disabled and then added the lines
object network TCP_OWA_443
nat (inside,outside) static interface service tcp https https
and then re-enabled webvpn
and it worked.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide