https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4729487#M1095468 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;,</P><P>do you mean the traffic (port 123) is ntp server to client ? do you mean we don't need to allow client to server traffic ( port 123 ) ?</P> Tue, 29 Nov 2022 05:42:31 GMT MrBeginner 2022-11-29T05:42:31Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4725987#M1095231 <P>Hi,</P><P>I confuse how to work NTP traffic. My network device need NTP from window server. the firewall is between my network device and Window server .I enable NTP server service on window.</P><P>So i would like to know If i open NTP port 123 on firewall for the traffic from my network device to window server&nbsp; ?</P> Tue, 22 Nov 2022 15:38:29 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4725987#M1095231 MrBeginner 2022-11-22T15:38:29Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4725989#M1095233 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/823684">@MrBeginner</a> you'd create a rule from source of the network device to the destination of the ntp server on udp/123. As the firewall is stateful the return traffic should be permitted.</P> Tue, 22 Nov 2022 15:43:20 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4725989#M1095233 Rob Ingram 2022-11-22T15:43:20Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4725990#M1095234 <P>In most situations (which includes yours) the network device is the NTP-client and queries the NTP-server. So, yes, you open the port UDP/123 from device to the server.</P> Tue, 22 Nov 2022 15:44:02 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4725990#M1095234 Karsten Iwen 2022-11-22T15:44:02Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4726360#M1095264 <P>Hi All,</P><P>Thanks. Let me know if i am using window as ntp server,cisco network can get time sync ? it is any limitation ? Because I worry network device didn't understand SNTP or window only SNTP protocol.</P><P>if i want to do my router device get ntp for NTP server and other network devices will get ntp from my router, what kind of additional configuration do i need to configure on my router ?</P><P>what kind of security configuration can do on my router ?&nbsp; any advantage will have if i use ntp soure as loopback ?</P> Wed, 23 Nov 2022 07:13:11 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4726360#M1095264 MrBeginner 2022-11-23T07:13:11Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4726411#M1095269 <P>It depends on the Cisco device if they do NTP or SNTP. And also if they only implement an NTP client or an NTP server.</P> <P>Assuming that your Windows Server has a correct time, I would point all network devices to this server. The typical command is&nbsp;</P> <LI-CODE lang="markup">ntp server IPADDRESS</LI-CODE> <P>&nbsp;</P> Wed, 23 Nov 2022 09:12:43 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4726411#M1095269 Karsten Iwen 2022-11-23T09:12:43Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4728289#M1095379 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/325766">@Karsten Iwen</a>&nbsp;,</P><P>I only want the to allow on router to access to NTP server and the rest network device want to get NTP from router. It is possible ?</P><P>what kind of configuration do i need on my router ? Peer command ?</P> Sat, 26 Nov 2022 02:22:38 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4728289#M1095379 MrBeginner 2022-11-26T02:22:38Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4728312#M1095381 <P>should be fairly straight forward, by default router works in NTP client as well as server mode, it means it can get NTP info from external source as client, as well be a NTP server for other devices.</P> <P>so on upstream router just configure the router with ntp server with command</P> <P>ntp server &lt;IP of NTP server&gt;</P> <P>if the server supports authentication then configure authentication as well.</P> <P>on downstream devices, just point to upstream router as NTP server (same command)</P> <P>show ntp association to verify, play close attention to reference clock, you will see the reference clock on downstream devices/routers will be upstream router IP and for upstream router, it will be the NTP server you configured.</P> <P>example upstream</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ammahend_0-1669431965225.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/169109i134F0B73BCA29939/image-size/medium?v=v2&amp;px=400" role="button" title="ammahend_0-1669431965225.png" alt="ammahend_0-1669431965225.png" /></span></P> <P>downstream</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ammahend_2-1669432060762.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/169111i35C2BBE481291BFB/image-size/medium?v=v2&amp;px=400" role="button" title="ammahend_2-1669432060762.png" alt="ammahend_2-1669432060762.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 26 Nov 2022 03:07:58 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4728312#M1095381 Ambuj M 2022-11-26T03:07:58Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4728351#M1095382 <P>As already explained, it will work straight out of the box as a server if the router already got the time via NTP. The peer functionality is a different way to synchronise the time between different devices. Make also sure that the other devices can reach the router on UDP/123 and this is not blocked by any router ACL.</P> Sat, 26 Nov 2022 07:41:12 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4728351#M1095382 Karsten Iwen 2022-11-26T07:41:12Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4729369#M1095460 <P>I do lab,&nbsp;<BR />NTP Server-inside-FW-outside-NTP client&nbsp;<BR />for FW to allow NTP traffic to pass through you need access-list in OUT direction in&nbsp;<BR />the access-list is eq ntp.&nbsp;<BR /><BR />I do lab and test it and client is sync with server inside.&nbsp;</P> Mon, 28 Nov 2022 21:28:22 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4729369#M1095460 MHM Cisco World 2022-11-28T21:28:22Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4729487#M1095468 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;,</P><P>do you mean the traffic (port 123) is ntp server to client ? do you mean we don't need to allow client to server traffic ( port 123 ) ?</P> Tue, 29 Nov 2022 05:42:31 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4729487#M1095468 MrBeginner 2022-11-29T05:42:31Z https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4729604#M1095475 <P>**<BR />friend there are known port you can use&nbsp;<BR />permit udp any any eq 123&nbsp;<BR />OR&nbsp;<BR />permit udp any any eq ntp&nbsp;<BR /><BR />and for may lab there are two case&nbsp;<BR /><BR />***<BR /><SPAN>NTP Server-inside-FW-outside-NTP client &lt;&lt;- this my lab and since traffic from low to high security level we need ACL&nbsp;<BR /><BR /></SPAN>or&nbsp;<BR /><BR /><SPAN>NTP client-inside -FW-outside-NTP Server &lt;&lt;- here you dont need any thing, since traffic from high to low security level</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 29 Nov 2022 10:59:14 GMT https://community.cisco.com/t5/network-security/ntp-rule-is-bidirectional/m-p/4729604#M1095475 MHM Cisco World 2022-11-29T10:59:14Z