NTP - Configuration

a.guillen — Tue, 12 Mar 2019 02:27:42 GMT

Hi Gurus of Cisco

I want to synchronize my devices that are on the outside interface (please see the image bellow)

My Firewall has the following configuration:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 181.66.39.100 255.255.255.128

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.8.101 255.255.255.0

My NTP server is 10.1.11.12 and is on the VLAN 11 (10.1.11.0/24) of my core Switch

From my core network I can reach the two devices that are outside the interface

CORE-SWITCH#ping 181.66.39.98 source vlan 11 repeat 20

Type escape sequence to abort.

Sending 20, 100-byte ICMP Echos to 181.66.39.98, timeout is 2 seconds:

Packet sent with a source address of 10.1.11.3

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (20/20), round-trip min/avg/max = 1/2/16 ms

CORE-SWITCH#

If run the ASDM tool "Packet tracer", select Interface "Inside", Packet Type "UDP", Source Address 10.1.11.12, Source Port NTP ---> Destination Address 181.66.39.98, Destination Port NTP ---> I can Reach,

packet-tracer input inside udp 10.1.11.12 ntp 181.66.39.98 ntp

The Result is:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

But in the other direction

packet-tracer input outside udp 181.66.39.98 ntp 10.1.11.12 ntp

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 2 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 2 (181.66.39.102)

translate_hits = 2129309899, untranslate_hits = 249021388

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

In base of line above detail?, what lines I must be add to my firewall configuration to synchronize my devices that are on the outside interface

Any comments or sugestion is welcome

Re: NTP - Configuration

Karsten Iwen — Tue, 20 Aug 2013 07:06:57 GMT

NTP is typically used in a client/server-way where the two routers would be the client and the core-switch is the server. With that you have incoming connections from outside to inside. For that you not only need a permit-entry in your outside-ACL, but also a matching static-NAT-statement or a nat-excemption for that traffic.

The config could look like the folowing:

object-group network NTP-SERVER

network-object host 181.66.39.98

network-object host 181.66.39.99

access-list NAT-EXEMPT permit ip host 10.1.11.12 object-group NTP-SERVER

nat (inside) 0 access-list NAT-EXEMPT

Probably there is aready a NAT-exemption on your inide interface so that you have to add it to your actual config.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

topic NTP - Configuration in Network Security

NTP - Configuration

Re: NTP - Configuration