topic Re: NTP through a VPN tunnel in Network Security

NTP through a VPN tunnel

irbk — Mon, 20 Nov 2023 15:47:53 GMT

I would like to setup sort of a single source of truth for time on the network. Our WatchGuard box at HQ already has pool.ntp configured on it and our servers are then getting NTP data from the WatchGuard. I'd like to also have the ASA 5525, who is on the other side of a VPN tunnel to the WatchGuard, using the WatchGuard as his NTP source. I've configured the ASA with
ntp server <ip of WatchGuard> source <vlan with firewall rules allowing NTP through to the WatchGuard>
The vlan above has other servers that are able to get NTP from the WatchGuard without issue. I'm guessing that the NTP packets from the ASA aren't really being sourced from the right interface or something? Even though I've specified a source.

Re: NTP through a VPN tunnel

balaji.bandi — Mon, 20 Nov 2023 15:56:36 GMT

So the issue you see on ASA only ?

is the Same ASA doing VPN ?

Re: NTP through a VPN tunnel

irbk — Mon, 20 Nov 2023 15:58:15 GMT

Correct, the ASA is doing the VPN tunnel to the WatchGuard. I'm wondering if the ASA can't send traffic through the tunnel when the source of the traffic is itself.

Re: NTP through a VPN tunnel

tvotna — Mon, 20 Nov 2023 16:03:16 GMT

Yes, the command "ntp server <ip> source <int>" takes IP from the specified interface, but the request is still routed via the routing table and doesn't make it into VPN.

Re: NTP through a VPN tunnel

irbk — Mon, 20 Nov 2023 16:07:52 GMT

Shoot, any way to fix that?

Re: NTP through a VPN tunnel

MHM Cisco World — Mon, 20 Nov 2023 16:10:59 GMT

Use inside as source interface to connect to NTP

Use access management for inside

And then check again

MHM

Re: NTP through a VPN tunnel

balaji.bandi — Mon, 20 Nov 2023 16:11:29 GMT

is the NTP destination IP part of Intersting traffic of Tunnel ?

check NTP can use over IPSEC (personally i dont like to use NTP - prefer to have local)

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113421-asa83-ntp-config-00.html

Re: NTP through a VPN tunnel

irbk — Mon, 20 Nov 2023 16:13:58 GMT

I don't have "inside" as an actual configured interface however the interface that I used is an "inside" interface. You think it might be a Management access rule issue?

Re: NTP through a VPN tunnel

irbk — Mon, 20 Nov 2023 16:16:41 GMT

Yes, the destination IP is part of interesting traffic to the tunnel.
I've seen that article before I posted this question but didn't find it helpful, but thanks.

Re: NTP through a VPN tunnel

MHM Cisco World — Mon, 20 Nov 2023 16:16:46 GMT

You use vpn s2s what is interface connect to LAN allow in vpn acl?

Use it as source for ntp.

Re: NTP through a VPN tunnel

irbk — Mon, 20 Nov 2023 16:20:48 GMT

Yes, that's what I'm doing. Interface "corp" is one of many vlans which are "internal" and the source that I'm putting for the NTP command. Same interface has an ACL allowing the corp/24 network to the WatchGuard on 123.

Re: NTP through a VPN tunnel

MHM Cisco World — Mon, 20 Nov 2023 16:39:28 GMT

Add

Management-access corp

Then check ntp sync

Re: NTP through a VPN tunnel

balaji.bandi — Mon, 20 Nov 2023 16:50:08 GMT

Try using interface internal in your case "corp"

Re: NTP through a VPN tunnel

irbk — Mon, 20 Nov 2023 19:52:24 GMT

Sorry it took me so long to reply but I wanted to lab this up before giving it a try. Adding the management-access cmd didn't change anything. AAMOF in a packet capture I don't even see the ASA trying to send packets through the tunnel.

Re: NTP through a VPN tunnel

irbk — Mon, 20 Nov 2023 19:54:10 GMT

Yeah the
ntp server <ip of WatchGuard> source <vlan with firewall rules allowing NTP through to the WatchGuard>
source as listed above is "corp"

Re: NTP through a VPN tunnel

MHM Cisco World — Mon, 20 Nov 2023 19:55:25 GMT

Take your time

Check vpn ot must be up.

Re: NTP through a VPN tunnel

irbk — Mon, 20 Nov 2023 19:56:29 GMT

Yep, VPN is up, a windows client behind the ASA can talk to the NTP server without issue. The ASA however doesn't seem to be able to communicate with it.

Re: NTP through a VPN tunnel

MHM Cisco World — Mon, 20 Nov 2023 20:05:12 GMT

Management access is solution here.

Re: NTP through a VPN tunnel

irbk — Mon, 20 Nov 2023 20:26:50 GMT

I've added the management access for inside as you suggested but it doesn't change anything. Let me rephrase that, I could ping to the remote server from the ASA, which I couldn't do before the management access inside command, so it's not that the command had no effect. However still no NTP. Still unsynchronized and insane. Plus I wouldn't want to enable that management access in production.