Solved: NAT error message

techanony · ‎05-11-2005

Hi,

I got following error message in a Cisco router's log file,

NAT: In FTP PORT Address, wanted ',' got '_'

Does anyone happen to know what's the cause of this problem? Thanks a lot in advance!

gfullage · ‎05-17-2005

NAT in most cases is simply a layer-3 function, changing the source and/or destination address in the IP laye of the packet. However, certain protocols (FTP included) include IP addresses in the data portion of their packets also (at layer 7). NAT needs to be smart enough to look into the data portion and change those IP addresses as well. IOS NAT does do this, as do most NAT devices nowadays, but as you can imagine it does take quite a lot of extra coding.

IOS NAT looks for IP addresses sent in the FTP PORT command and changes those accordingly if necessary. It looks for the IP address in a specific format as we've discussed already. If you're seeing what looks like the correct format with a Sniffer trace then there may be something else going on. A good test would be to try a different FTP client and/or server and see if the messages still come up.

There's no command in IOS to see exactly what is in the FTP packet unfortunately. You can "debug nat" which will give you some information, but probably not what were looking for.

View solution in original post

gfullage · ‎05-11-2005

This message means that NAT was trying to do a layer 4 fix up on the address in an FTP open and

couldn't find the ip addresses it needed to translate in the packet. When an FTP session is initiated, it negotiates 2 channels: a command channel and a data channel. These are both IP addresses with different port numbers. FTP client and server will negotiate a second data channel to transfer files.

The packet exchanged via the control channel has the format PORT,i,i,i,i,p,p." i,i,i,i are the four

bytes of an IP address; p,p specifies the port. NAT tries to match this pattern and translate the

address/port if necessary.

NAT must translate both channels' addressing schemes. NAT scans for numbers in the command stream

until it thinks it has found a port command that requires translation. It tries to parse out the

translation, which it calculates using the pattern discussed above. If the packet is corrupt or the

ftp server or client are malforming commands (or in your case using underscores instead of commas), NAT cannot properly calculate the translation and it

generates that error.

According to the FTP (http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=959&type=ftp&file_format=txt)

specification, the PORT command options will be separated by commas:

-------------------------------------------------DATA PORT (PORT)

The argument is a HOST-PORT specification for the data port

to be used in data connection. There are defaults for both

the user and server data ports, and under normal

circumstances this command and its reply are not needed. If

this command is used, the argument is the concatenation of a

32-bit internet host address and a 16-bit TCP port address.

This address information is broken into 8-bit fields and the

value of each field is transmitted as a decimal number (in

character string representation). The fields are separated

by commas. A port command would be:

PORT h1,h2,h3,h4,p1,p2

where h1 is the high order 8 bits of the internet host

address.

-------------------------------------------------

so it looks like your FTP implementation is broken. To be sure you'd have to get a Sniffer trace of the traffic, but it looks like it's sending out the PORT command with underscores instead of commas.

techanony · ‎05-12-2005

Thanks a lot for the reply. I have 2 more questions about this issue.

1) As far as I understand, the NAT is a layer 3 function, translating source and/or destination IP addresses (sometimes along with ports if PAT is used) between inside network and outside network. Why should NAT care what format the FTP protocol’s PORT command uses? The NAT should let application layer take care of that. Correct me if I’m wrong.

2) I have already run Ethereal to capture all FTP traffic between my router’s fa0/0 port and the ftp server after the NAT is done in the router. All FTP’s PORT commands are in format of i,i,i,i,p,p and I didn’t see any “_” character in them. I don’t have a protocol analyzer which could capture the original FTP protocol packets flowing into serial ports before the NAT occurs. Does Cisco router have any command that could allow me to find out which packet generates the error message?

Thanks a lot in advance!

techanony · ‎05-16-2005

I need some help with this log message. Could anyone help? Or I should post questions regarding NAT to a different forum? Let me know if you know a better one. Any information will be appreciated! Thank!

gfullage · ‎05-17-2005

NAT in most cases is simply a layer-3 function, changing the source and/or destination address in the IP laye of the packet. However, certain protocols (FTP included) include IP addresses in the data portion of their packets also (at layer 7). NAT needs to be smart enough to look into the data portion and change those IP addresses as well. IOS NAT does do this, as do most NAT devices nowadays, but as you can imagine it does take quite a lot of extra coding.

IOS NAT looks for IP addresses sent in the FTP PORT command and changes those accordingly if necessary. It looks for the IP address in a specific format as we've discussed already. If you're seeing what looks like the correct format with a Sniffer trace then there may be something else going on. A good test would be to try a different FTP client and/or server and see if the messages still come up.

There's no command in IOS to see exactly what is in the FTP packet unfortunately. You can "debug nat" which will give you some information, but probably not what were looking for.