Thursday, January 20, 2011

Cisco ASA 5505; Can't forward port 443: Why am I getting "Error: unable to download policy"?

Hi all,

I'm dealing with my first Cisco ASA (a 5505), using the ASDM interface. I've got to forward HTTP, HTTPS, PPTP and another port to a couple of internal servers.

I'm pretty sure I've got it all figured out, and have successfully (I believe, haven't actually tested yet ;) ) created and applied Static NAT rules for everything above, except HTTPS.

Via the interface I can add the rule for 443, and all looks good, but when I hit [apply] I get the following error, and then the 443/HTTPS entry is removed:

[ERROR] static (inside,outside) tcp interface 443 192.168.0.151 443 netmask 255.255.255.255 tcp 0 0 udp 0 unable to reserve port 443 for static PAT

ERROR: unable to download policy

I've had no problems creating my other rules, and can still successfully create other port rules (i.e.: '4434' as a test) so now I'm at a loss, any ideas?

Thanks in advance.

From serverfault techie007

  • The Cisco ASDM runs on port 443, so you'll probably have to switch that to a different port before trying to forward 443 to an inside destination.

    techie007 : Worked like a charm! Thanks!
    Patrick R : Erik beat me because I had to walk over to my device to verify the physical location of the SN;).
    Patrick R : +1 to Erik from slow poke.
    techie007 : Hehehe yeah, ya snail! Thanks again. ;)
    From pauska

  • It sounds as though you may be creating a conflict with the 443 port reservation for your ASDM/HTTPS admin connection. If you've recently purchased the ASA5505 you may still fall within the included technical support that cisco provides. If so, they are really good at gettting people (at least me) past issues like this.

    TAC support is at 1-800-553-2447

    tac@cisco.com

    They'll ask for the SN number on the bottom of your device.

    Edit: You could also turn off ASDM/HTTPS access and config over ssh or serial. That's were you'll probably head anyway once you get into administrating firewalls like this.

    Zypher : ASAs are NATing firewalls, not routers :)
    techie007 : Thanks for providing the same answer only a minute or so later, I +1'd you for giving me the phone number. :)
    Patrick R : @Zypher - thanks - I have three of them myself and know that - apparently I need some sleep.
    From Patrick R
Posted by Mu Cat at 6:51 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)