05-11-2005 07:10 AM - edited 03-09-2019 11:13 AM
Hi,
I got following error message in a Cisco router's log file,
NAT: In FTP PORT Address, wanted ',' got '_'
Does anyone happen to know what's the cause of this problem? Thanks a lot in advance!
Solved! Go to Solution.
05-17-2005 05:21 PM
NAT in most cases is simply a layer-3 function, changing the source and/or destination address in the IP laye of the packet. However, certain protocols (FTP included) include IP addresses in the data portion of their packets also (at layer 7). NAT needs to be smart enough to look into the data portion and change those IP addresses as well. IOS NAT does do this, as do most NAT devices nowadays, but as you can imagine it does take quite a lot of extra coding.
IOS NAT looks for IP addresses sent in the FTP PORT command and changes those accordingly if necessary. It looks for the IP address in a specific format as we've discussed already. If you're seeing what looks like the correct format with a Sniffer trace then there may be something else going on. A good test would be to try a different FTP client and/or server and see if the messages still come up.
There's no command in IOS to see exactly what is in the FTP packet unfortunately. You can "debug nat" which will give you some information, but probably not what were looking for.
05-11-2005 08:21 PM
This message means that NAT was trying to do a layer 4 fix up on the address in an FTP open and
couldn't find the ip addresses it needed to translate in the packet. When an FTP session is initiated, it negotiates 2 channels: a command channel and a data channel. These are both IP addresses with different port numbers. FTP client and server will negotiate a second data channel to transfer files.
The packet exchanged via the control channel has the format PORT,i,i,i,i,p,p." i,i,i,i are the four
bytes of an IP address; p,p specifies the port. NAT tries to match this pattern and translate the
address/port if necessary.
NAT must translate both channels' addressing schemes. NAT scans for numbers in the command stream
until it thinks it has found a port command that requires translation. It tries to parse out the
translation, which it calculates using the pattern discussed above. If the packet is corrupt or the
ftp server or client are malforming commands (or in your case using underscores instead of commas), NAT cannot properly calculate the translation and it
generates that error.
According to the FTP (http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=959&type=ftp&file_format=txt)
specification, the PORT command options will be separated by commas:
-------------------------------------------------DATA PORT (PORT)
The argument is a HOST-PORT specification for the data port
to be used in data connection. There are defaults for both
the user and server data ports, and under normal
circumstances this command and its reply are not needed. If
this command is used, the argument is the concatenation of a
32-bit internet host address and a 16-bit TCP port address.
This address information is broken into 8-bit fields and the
value of each field is transmitted as a decimal number (in
character string representation). The fields are separated
by commas. A port command would be:
PORT h1,h2,h3,h4,p1,p2
where h1 is the high order 8 bits of the internet host
address.
-------------------------------------------------
so it looks like your FTP implementation is broken. To be sure you'd have to get a Sniffer trace of the traffic, but it looks like it's sending out the PORT command with underscores instead of commas.
05-12-2005 06:40 AM
Thanks a lot for the reply. I have 2 more questions about this issue.
1) As far as I understand, the NAT is a layer 3 function, translating source and/or destination IP addresses (sometimes along with ports if PAT is used) between inside network and outside network. Why should NAT care what format the FTP protocols PORT command uses? The NAT should let application layer take care of that. Correct me if Im wrong.
2) I have already run Ethereal to capture all FTP traffic between my routers fa0/0 port and the ftp server after the NAT is done in the router. All FTPs PORT commands are in format of i,i,i,i,p,p and I didnt see any _ character in them. I dont have a protocol analyzer which could capture the original FTP protocol packets flowing into serial ports before the NAT occurs. Does Cisco router have any command that could allow me to find out which packet generates the error message?
Thanks a lot in advance!
05-16-2005 06:47 AM
I need some help with this log message. Could anyone help? Or I should post questions regarding NAT to a different forum? Let me know if you know a better one. Any information will be appreciated! Thank!
05-17-2005 05:21 PM
NAT in most cases is simply a layer-3 function, changing the source and/or destination address in the IP laye of the packet. However, certain protocols (FTP included) include IP addresses in the data portion of their packets also (at layer 7). NAT needs to be smart enough to look into the data portion and change those IP addresses as well. IOS NAT does do this, as do most NAT devices nowadays, but as you can imagine it does take quite a lot of extra coding.
IOS NAT looks for IP addresses sent in the FTP PORT command and changes those accordingly if necessary. It looks for the IP address in a specific format as we've discussed already. If you're seeing what looks like the correct format with a Sniffer trace then there may be something else going on. A good test would be to try a different FTP client and/or server and see if the messages still come up.
There's no command in IOS to see exactly what is in the FTP packet unfortunately. You can "debug nat" which will give you some information, but probably not what were looking for.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide