Overview
While reviewing Error logs, the following entry appears frequently:
(3) Out of free NAT ports: Unable to handle connection 172.16.5.46:57173 -> <external_country_IP>:443.
(3) Out of free NAT ports: Unable to handle connection <external_country_IP>:41390 -> 172.18.1.3:443.
(3) Out of free NAT ports: Unable to handle connection 172.16.5.67:63049 -> <external_country_IP>:80.
(3) Out of free NAT ports: Unable to handle connection 172.16.1.2:61724 -> <control_IP>:53.
In Debug logs with "Packets dropped for some reason" enabled, the "Unable to allocate port for NAT" is shown.
This article provides explanations about the common situations that cause these entries to be generated and how to resolve them.
Information
When the port mapping is configured together with a translation of a port to service, the ports used in different Traffic Rules may overlap.
If the NATed port cannot be allocated, the above exceptions are being thrown.
It might be the case, some external IP addresses are trying to access the Kerio Control firewall's public IP. The common ports are usually used for HTTP, HTTPS, DNS services.
The suspicious IPs can be identified via IP2Location and then blocked by GeoIP filter or by dropping via Traffic Rules.
Additionally, it might be an indication of unsolicited/pirate software installed on PCs connected to Kerio Control. Make sure to check the local computers using 3rd-party Antivirus solutions, such as Avast, ESET, Kaspersky, etc.