Cisco ASA NAT on port 1977 failed (unable to reserve)

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

Cisco ASA NAT on port 1977 failed (unable to reserve)

Post by Guest » Sat Jan 01, 2005 5:43 pm

Good day! I have cisco asa 5505 and I need to translate inbound connection on port tcp/1977 to some inside IP.But asa tell: unable to reserveI think this IP reserved by asa for something. But I couldn find anything about this port only that its tocaddressbook serviceIs there way to use tcp/1977 for NAT? Thanks!

Guest

Re:Cisco ASA NAT on port 1977 failed (unable to reserve)

Post by Guest » Sat Jan 01, 2005 7:20 pm

Is this ASA running 8.3 or 8.2 code? In 8.2 it is static (inside,outside) tcp interface 1977 x.x.x.x 1977where x.x.x.x is the real ip address of the server listening on tcp port 1977. In 8.3 it isobject network host-1977host x.x.x.xnat (inside,outside) static interface service tcp 1977 1977 Replace the word "interface"  with the IP address, if this is some other available IP address besides the interface IP. -KS

Guest

Re:Cisco ASA NAT on port 1977 failed (unable to reserve)

Post by Guest » Sat Jan 01, 2005 7:30 pm

Thanks for reply! ASA running 8.3 codeAnd my configuration is exactly the same as Your.But as I  wrote in first message, ASA answers "Unable to reserve" (perhaps, reserve for its own use)If I trying to change port to 1978, for example... its OK and working!like this:object network host-1978host x.x.x.xnat (inside,outside) static interface service tcp 1977 1978Unfortunately I have only one available outside IP-address, which assigned  to outside interface (I use keyword "interface").And I have to use port 1977 for NAT, I can to change port to another one. Thats why Im asking - can I use port 1977 in my case or not? Why ASA rejects this translation? What ASA using port 1977 for? Thanks!

Guest

Re:Cisco ASA NAT on port 1977 failed (unable to reserve)

Post by Guest » Sat Jan 01, 2005 7:33 pm

Hi, Please post the output of "show asp table socket" and the sanitized running-config here. It looks like that port is reserved for something on your ASA already. Thanks and Regards,Prapanch

Guest

Re:Cisco ASA NAT on port 1977 failed (unable to reserve)

Post by Guest » Sat Jan 01, 2005 8:15 pm

asa-1# sh asp table socketProtocol  Socket    Local Address               Foreign Address         StateSSL       0003a68f  192.168.1.5:443             0.0.0.0:*               LISTENSSL       0004664f  192.168.3.1:443             0.0.0.0:*               LISTENTCP       0009f77f  192.168.1.5:22              0.0.0.0:*               LISTENTCP       000d642f  192.168.3.1:22              0.0.0.0:*               LISTENTCP       002b7168  192.168.1.5:22              192.168.1.111:3600      ESTAB Thats all! May be ASA reserves this port for future purpose? Heres running-config asa-1(config)# sh run: Saved:ASA Version 8.3(1)!hostname asa-1enable password xxpasswd xxnames!interface Vlan1 nameif inside security-level 100 ip address 192.168.1.5 255.255.255.0!interface Vlan3 nameif baza security-level 90 ip address 192.168.3.1 255.255.255.0!interface Vlan5 nameif dmz security-level 20 ip address 192.168.5.1 255.255.255.0!interface Vlan10 nameif outside security-level 0 ip address w.w.w.w 255.255.255.252!interface Ethernet0/0 switchport access vlan 10!interface Ethernet0/1!interface Ethernet0/2 switchport access vlan 3!interface Ethernet0/3 switchport access vlan 5!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveclock timezone MSD 3clock summer-time MSK recurring last Sun Mar 3:00 last Sun Oct 2:00object network insidenat subnet 192.168.1.0 255.255.255.0object network bazanat subnet 192.168.2.0 255.255.255.0object network dmznat subnet 192.168.5.0 255.255.255.0object network vipnet host 192.168.1.118object network escort host 192.168.1.157access-list to_inet extended permit ip any anyaccess-list from_dmz extended deny ip any anyaccess-list from_inside extended permit ip any anyaccess-list from_outside extended permit icmp any any echo-replyaccess-list from_outside extended permit icmp any any time-exceededaccess-list from_outside extended permit tcp any any eq 1977access-list from_outside extended permit tcp any any eq 1978access-list from_baza extended permit ip any anypager lines 24logging enablelogging timestamplogging buffer-size 1048576logging buffered informationalmtu inside 1500mtu baza 1500mtu dmz 1500mtu outside 1500no failovericmp unreachable rate-limit 1 burst-size 1icmp permit any insideicmp permit any bazaicmp permit any dmzasdm image disk0:/asdm-631.binno asdm history enablearp timeout 14400!object network insidenat nat (inside,outside) dynamic interfaceobject network bazanat nat (baza,outside) dynamic interfaceobject network dmznat nat (dmz,outside) dynamic interfaceobject network vipnet nat (inside,outside) static interface service udp 55777 55777object network escort nat (inside,outside) static interface service tcp 1977 1978access-group from_inside in interface insideaccess-group from_baza in interface bazaaccess-group from_dmz in interface dmzaccess-group from_outside in interface outsideaccess-group to_inet out interface outsideroute outside 0.0.0.0 0.0.0.0 w.w.w.w 1route baza 192.168.2.0 255.255.255.0 192.168.3.2 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.1.0 255.255.255.0 insidehttp 192.168.2.0 255.255.255.0 bazano snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000telnet timeout 5ssh 192.168.1.0 255.255.255.0 insidessh 192.168.2.0 255.255.255.0 bazassh timeout 5console timeout 0  threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpnusername asdm password ff!---------------------------------If I useobject network escort nat (inside,outside) static interface service tcp 1977 1978Its OKIf Im tryingobject network escort nat (inside,outside) static interface service tcp 1977 1977ASA says error (unable to reserve address)

Post Reply