topic What is "correct time" that in Network Security

NTP in ASA cannot work

eigrpy — Tue, 12 Mar 2019 06:24:02 GMT

Hi Anyone can take a the commands. Why NTP in ASA cannot work ? Thank you

ASA1(config)# sh run ntp
ntp server 12.1.1.1 source outside
ASA1(config)#

ASA1(config)# sh ntp statu
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is 00000000.00000000 (00:24:16.000 EST Thu Feb 7 2036)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec

ASA1(config)# sh int ip bri
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 10.1.1.1 YES manual down down
Vlan2 12.1.1.1 YES manual up up
Virtual0 127.0.0.1 YES unset up up
ASA1(config)#

The command is ok, you even

Karsten Iwen — Sat, 08 Aug 2015 22:14:20 GMT

The command is ok, you even don't need the "source outside". But you have to use the IP address of a public NTP-server like 198.24.147.90 (which is 3.north-america.pool.ntp.org) and not your ASA IP address.

Thank you so much for your

eigrpy — Sat, 08 Aug 2015 22:48:26 GMT

Thank you so much for your reply.

With router, we can setup ntp the router itself without other connection to other device. So you mean ASA is different with router ios in ntp, right ? and ASA cannot have its own ntp system ? The ASA that I am talking about is ASA5505

You want to configure the ASA

Karsten Iwen — Sun, 09 Aug 2015 00:02:04 GMT

You want to configure the ASA to be an NTP-server for other network-devices? No, that's not possible on the ASA. The ASA only has an NTP-client, not an NTP-server as IOS-routers and switches have.

In lab environment, we can

eigrpy — Sun, 09 Aug 2015 00:47:12 GMT

In lab environment, we can set ASA as ntp client without public ip address, right ?

Sometimes we set NTP for certificate in ASA. So the ntp is not required for the certificate in ASA ? Thank you

When you use the NTP-client,

Karsten Iwen — Sun, 09 Aug 2015 08:21:53 GMT

When you use the NTP-client, you point the ASA to the IP address of an NTP server. That can be a public or a private address. Very often the switched infrastructure is used as the NTP-server.

You can use the ASA also with certificates without NTP. You only should have a correct time. And using NTP is the easiest way and a best-practice to achieve that.

What is "correct time" that

eigrpy — Mon, 10 Aug 2015 13:33:05 GMT

What is "correct time" that you mentioned ? You mean the same time with other device ? If it does not have correct time, the certificate process can work ? Thank you

The definition of "correct

Karsten Iwen — Mon, 10 Aug 2015 14:19:59 GMT

The definition of "correct time" can depend on what you want to achieve. For certificate-based authentication, the ASA-time has to be within the validity period of the certificate. For that, even when the time is minutes or even hours wrong, it could work.

For logging it's different. There you want to correlate exactly with other sources of information what happened. There you need a very exact time.

All in all, there are enough time-sources that you can use for NTP. If you have one internally, take that. If not, take on on the internet.

Excellent, Thank you!

eigrpy — Mon, 10 Aug 2015 14:22:58 GMT

Excellent, Thank you!

I try and setup NTP as

burleyman — Mon, 10 Aug 2015 15:09:44 GMT

I try and setup NTP as follows.

I point the Domain Controller out to a pool of NTP servers on the internet.

I then point the Core switch to the Domain Controller for its time.

Then I point all the IDF switches and the ASA to the core switch for NTP.

Thanks,

Mike