https://community.cisco.com/t5/network-security/configuring-cisco-asa-application-layer-protocol-inspection/m-p/2602733#M201961 <P>To protect from&nbsp;the security issues that occur while opening port 123 for NTP , I have tried to configure NTP Client on the CISCO ASA Firewall. I have tried to synchronize the NTP Client time with an outside NTP Server.&nbsp;But the synchronization is not taking place due to large time difference between NTP Client and NTP Server.</P><P>To make the time difference less, I have to use the ntpd or ntpdate commands in the NTP running on the firewall. Is there any way to execute those commands in firewall ?.</P><P>Also is it possible to use the same NTP Client running on the firewall as an NTP server, from which other internal systems can synchronize their time ?.</P> Thu, 18 Dec 2014 08:59:11 GMT johnmathewhere 2014-12-18T08:59:11Z https://community.cisco.com/t5/network-security/configuring-cisco-asa-application-layer-protocol-inspection/m-p/2602731#M201959 <H3 class="p_H_Head2" style="font-size: 12.7272720336914px; color: rgb(51, 102, 102); font-weight: bold; font-family: Arial, Helvetica, sans-serif; margin: 14px 0em 7px -0.1in; line-height: normal;">&nbsp;</H3><P><SPAN style="font-size:14px;">While configuring a DNS Inspection Policy Map,&nbsp;To match a specific flag that is set in the DNS header,&nbsp;the following command can be used:</SPAN></P><P><SPAN style="font-size: 14px;">hostname(config-cmap)# <B class="cBold">match </B>[<B class="cBold">not</B>]<B class="cBold"> header-flag </B>[<SPAN style="color: black; font-weight: bold;">eq</SPAN>] {<SPAN style="color: black; font-style: oblique;">f_well_known</SPAN> | <SPAN style="color: black; font-style: oblique;">f_value</SPAN>}</SPAN></P><P>&nbsp;</P><P>I want to configure NTP<SPAN style="font-size: 14px;">&nbsp;Inspection Policy Map.&nbsp;My aim is to drop all Mode-6 and Mode-7 NTP Packets that arrive at the&nbsp;firewall.</SPAN></P><P><SPAN style="font-size: 14px;">Which command can be used to match a specific flag that is set in the NTP Header ?.</SPAN></P><P>&nbsp;</P> Tue, 12 Mar 2019 05:14:25 GMT https://community.cisco.com/t5/network-security/configuring-cisco-asa-application-layer-protocol-inspection/m-p/2602731#M201959 johnmathewhere 2019-03-12T05:14:25Z https://community.cisco.com/t5/network-security/configuring-cisco-asa-application-layer-protocol-inspection/m-p/2602732#M201960 <P>There is no NTP-inspection engine in the ASA. Have a look at the following list for the supported inspections:</P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/inspect-overview.html">http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/inspect-overview.html</A></P><P>You have to look for a solution outside of the ASA. Do you have an IOS-router in front of your ASA? Perhaps <A href="http://www.cisco.com/c/en/us/products/security/ios-flexible-packet-matching-fpm/index.html">Flexible packet matching</A> could help you with that.</P> Thu, 18 Dec 2014 08:23:44 GMT https://community.cisco.com/t5/network-security/configuring-cisco-asa-application-layer-protocol-inspection/m-p/2602732#M201960 Karsten Iwen 2014-12-18T08:23:44Z https://community.cisco.com/t5/network-security/configuring-cisco-asa-application-layer-protocol-inspection/m-p/2602733#M201961 <P>To protect from&nbsp;the security issues that occur while opening port 123 for NTP , I have tried to configure NTP Client on the CISCO ASA Firewall. I have tried to synchronize the NTP Client time with an outside NTP Server.&nbsp;But the synchronization is not taking place due to large time difference between NTP Client and NTP Server.</P><P>To make the time difference less, I have to use the ntpd or ntpdate commands in the NTP running on the firewall. Is there any way to execute those commands in firewall ?.</P><P>Also is it possible to use the same NTP Client running on the firewall as an NTP server, from which other internal systems can synchronize their time ?.</P> Thu, 18 Dec 2014 08:59:11 GMT https://community.cisco.com/t5/network-security/configuring-cisco-asa-application-layer-protocol-inspection/m-p/2602733#M201961 johnmathewhere 2014-12-18T08:59:11Z https://community.cisco.com/t5/network-security/configuring-cisco-asa-application-layer-protocol-inspection/m-p/2602734#M201962 <P>Before configuring NTP on the client, you should set the clock manually to a time that is very close to the time on the NTP-server. Just remember that the timezone is not communicated in NTP and has to be set individually.</P><P>For the rest: What system are you talking about? Can't be an ASA as there is no ntpd or ntpdate. All is configured with "ntp ...".</P><P>And the ASA only has an ntp-client, but can't act as an ntp-server. An IOS-device can be ntp-client and ntp-server at the same time.</P> Thu, 18 Dec 2014 09:19:36 GMT https://community.cisco.com/t5/network-security/configuring-cisco-asa-application-layer-protocol-inspection/m-p/2602734#M201962 Karsten Iwen 2014-12-18T09:19:36Z