https://community.cisco.com/t5/network-security/pit-falls-of-passing-ntp-from-an-inside-source-through-an-asa-to/m-p/2723367#M179063 <P>&nbsp;</P><P>HI EJ</P><P>I think the problem is your NAT&nbsp;</P><P><SPAN style="font-size: 14.3999996185303px; line-height: normal;">o<EM>bject network ntp_internal_Yoko</EM></SPAN><BR style="font-size: 14.3999996185303px; line-height: normal;" /><EM><SPAN style="font-size: 14.3999996185303px; line-height: normal;">host&nbsp; "NTPInsideServer1"</SPAN><BR style="font-size: 14.3999996185303px; line-height: normal;" /><SPAN style="font-size: 14.3999996185303px; line-height: normal;">nat (inside,outside) static ntp_external service udp 123 123</SPAN></EM></P><P><SPAN style="font-size: 14.3999996185303px; line-height: normal;">you are trying to do&nbsp;&nbsp;a NAT&nbsp;&nbsp;from a real device to another real device!</SPAN></P><P><SPAN style="font-size: 14.3999996185303px; line-height: normal;">you don't really need to do a NAT at all as long as you allow outside to inside with ACLs</SPAN></P><P>&nbsp;</P><P><SPAN style="font-size: 14.3999996185303px; line-height: normal;">HTH</SPAN></P><P><SPAN style="font-size: 14.3999996185303px; line-height: normal;">Richard.</SPAN></P> Mon, 07 Sep 2015 03:54:26 GMT Richard Bradfield 2015-09-07T03:54:26Z https://community.cisco.com/t5/network-security/pit-falls-of-passing-ntp-from-an-inside-source-through-an-asa-to/m-p/2723366#M179062 <P>Good day all, I'm in a bit of a pickle.</P><P>We have a new 5585X running ASA &nbsp;9.1(6)6 with ASDM 7.4(2) in HA configuration.</P><P>It's working fine for our normal traffic and I have it passing log files from the DMZ to the log server; however, trying to get a DMZ Perimeter switch to talk to the NTP server on the inside is a bit of a bear.</P><P>Right now we have the packet tracer showing&nbsp;all green for the path between the Outside and Inside interfaces on the firewall.</P><P>However we are unable to see the DMZ device respond to time updates from the inside NTP server.</P><P>!create object for the outside interface&nbsp;<BR />object network ntp_external<BR />host "DMZoutside"</P><P>!Create the first object for the yoko ntp server<BR />object network ntp_internal_Yoko<BR />host&nbsp; "NTPInsideServer1"<BR />nat (inside,outside) static ntp_external service udp 123 123</P><P>!Create the second object for the sas ntp server<BR />object network ntp_internal_Sas<BR />host "NTPInsideServer2"<BR />nat (inside,outside) static ntp_external service udp 123 123</P><P>! Create the object group to bundle both servers IP's<BR />&nbsp;object-group network NTP_Group1<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object object ntp_internal_Yoko<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object object ntp_internal_Sas</P><P>! Create the access-lists for the outside interface<BR />access-list outside_access_in line 6 extended permit tcp object YOSSR object ntp_internal_Yoko eq 123 log disable<BR />access-list outside_access_in line 6 extended permit tcp object YOSSR object ntp_internal_Sas eq 123 log disable</P><P>&nbsp;</P><P>Creating the rule for ntp<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;access-group global_access global<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Outside_access_in line 28 extended permit udp object ntp_external object-group NTP_Group1 eq ntp&nbsp; log disable<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; clear configure access-list global_acce<BR />&nbsp;&nbsp;</P><P>Can anyone shed some light on this topic?</P><P>&nbsp;</P><P>ej</P> Tue, 12 Mar 2019 06:33:11 GMT https://community.cisco.com/t5/network-security/pit-falls-of-passing-ntp-from-an-inside-source-through-an-asa-to/m-p/2723366#M179062 Eric R. Jones 2019-03-12T06:33:11Z https://community.cisco.com/t5/network-security/pit-falls-of-passing-ntp-from-an-inside-source-through-an-asa-to/m-p/2723367#M179063 <P>&nbsp;</P><P>HI EJ</P><P>I think the problem is your NAT&nbsp;</P><P><SPAN style="font-size: 14.3999996185303px; line-height: normal;">o<EM>bject network ntp_internal_Yoko</EM></SPAN><BR style="font-size: 14.3999996185303px; line-height: normal;" /><EM><SPAN style="font-size: 14.3999996185303px; line-height: normal;">host&nbsp; "NTPInsideServer1"</SPAN><BR style="font-size: 14.3999996185303px; line-height: normal;" /><SPAN style="font-size: 14.3999996185303px; line-height: normal;">nat (inside,outside) static ntp_external service udp 123 123</SPAN></EM></P><P><SPAN style="font-size: 14.3999996185303px; line-height: normal;">you are trying to do&nbsp;&nbsp;a NAT&nbsp;&nbsp;from a real device to another real device!</SPAN></P><P><SPAN style="font-size: 14.3999996185303px; line-height: normal;">you don't really need to do a NAT at all as long as you allow outside to inside with ACLs</SPAN></P><P>&nbsp;</P><P><SPAN style="font-size: 14.3999996185303px; line-height: normal;">HTH</SPAN></P><P><SPAN style="font-size: 14.3999996185303px; line-height: normal;">Richard.</SPAN></P> Mon, 07 Sep 2015 03:54:26 GMT https://community.cisco.com/t5/network-security/pit-falls-of-passing-ntp-from-an-inside-source-through-an-asa-to/m-p/2723367#M179063 Richard Bradfield 2015-09-07T03:54:26Z https://community.cisco.com/t5/network-security/pit-falls-of-passing-ntp-from-an-inside-source-through-an-asa-to/m-p/2723368#M179064 <P>the correct answer we found out was to do twice nat.</P><P>once we did that everything worked just fine.</P><P>Then the NTP server stopped working a few days later.</P><P>We just rebooted it and everything is backup.</P><P>&nbsp;</P><P>ej</P> Mon, 26 Oct 2015 01:32:27 GMT https://community.cisco.com/t5/network-security/pit-falls-of-passing-ntp-from-an-inside-source-through-an-asa-to/m-p/2723368#M179064 Eric R. Jones 2015-10-26T01:32:27Z