https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754297#M8689 Hello Marvin Rhoads,<BR /><BR />I appreciate your Solution but my question is, how i permit the traffic for this 10.x.x.x(local Ntp server) on ASA to sync with global Ntp servers, do i use the public IP address of global Ntp server as a Destination IP in access rule or do i allow any destination with UDP 123. Wed, 28 Nov 2018 12:29:34 GMT Nishan Thevathason 2018-11-28T12:29:34Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3753862#M8685 <P>Hello Experts,</P> <P>&nbsp;</P> <P>I hope you all are doing great.</P> <P>&nbsp;</P> <P>We have a Ntp server in a customer local network and we want to sync that Ntp server with Global Ntp server, the Ntp traffic will traverse through the Cisco ASA, So i just want to know what is the Best practice we ever used while we are creating rules for inbound or outbound traffic on ASA for Ntp.</P> <P>&nbsp;</P> <P>Currently we are using below rules for Ntp traffic on ASA.</P> <P>&nbsp;</P> <P>access-list Outside-to-Inside extended permit udp any host 10.x.x.x eq ntp<BR />access-list Inside-to-Outside extended permit udp host 10.x.x.x any eq ntp</P> <P>&nbsp;</P> <P>Thanks in advance.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 16:30:43 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3753862#M8685 Nishan Thevathason 2020-02-21T16:30:43Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3753892#M8686 <P>my opinion</P> <P>&nbsp;</P> <P>access-list Outside-to-Inside extended permit udp any host 10.x.x.x eq ntp </P> <P>&nbsp;</P> <P>however, if you know the ntp server ip address than create a object-group and match it with that.</P> <P>&nbsp;</P> <P>for example.</P> <P>Object-group NTP-SERVER</P> <P>&nbsp;object-network host x.x.x.x.x</P> <P>!</P> <P>access-list Outside-to-Inside extended permit object-group NTP-SERVER&nbsp; host 10.x.x.x eq ntp</P> <P>&nbsp;</P> Tue, 27 Nov 2018 21:24:50 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3753892#M8686 Sheraz.Salim 2018-11-27T21:24:50Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754022#M8687 <P>If the ntp requests originate from inside, you don't need the outside-to-inside acl.</P> <P>&nbsp;</P> <P>The ASA is a stateful firewall and will recognize the return traffic as part of a udp flow that it has in the state table.</P> Wed, 28 Nov 2018 02:21:48 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754022#M8687 Marvin Rhoads 2018-11-28T02:21:48Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754057#M8688 that's good point. Wed, 28 Nov 2018 04:14:52 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754057#M8688 venkat_n7 2018-11-28T04:14:52Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754297#M8689 Hello Marvin Rhoads,<BR /><BR />I appreciate your Solution but my question is, how i permit the traffic for this 10.x.x.x(local Ntp server) on ASA to sync with global Ntp servers, do i use the public IP address of global Ntp server as a Destination IP in access rule or do i allow any destination with UDP 123. Wed, 28 Nov 2018 12:29:34 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754297#M8689 Nishan Thevathason 2018-11-28T12:29:34Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754303#M8690 <P>If you want to restrict the local ntp server to using one and only one public (global) ntp server then specify that public ntp server as the destination ip.</P> <P>&nbsp;</P> <P>If the internal server points to an FQDN (like pool.ntp.org which resolves to multiple IP addresses) or you want to allow them to use any public ntp server without requiring further firewall ACL changes then use "any" as the destination ip.&nbsp;</P> Wed, 28 Nov 2018 12:35:21 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754303#M8690 Marvin Rhoads 2018-11-28T12:35:21Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754320#M8691 Thanks Marvin,<BR /><BR />I want to point the internal server points to an FQDN (like pool.ntp.org which resolves to multiple IP addresses) but i want to ensure, if there is any chance of any cyber attack, or it is safe to use "any" destination with udp 123. Wed, 28 Nov 2018 12:50:14 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754320#M8691 Nishan Thevathason 2018-11-28T12:50:14Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754322#M8692 <P>The "any" doesn't affect who can originate traffic from outside. It only allows the trusted inside ntp server to use any public server.</P> <P>&nbsp;</P> <P>Only the return flows from the public ntp servers that your trusted server has selected will be allowed from outside to inside.</P> Wed, 28 Nov 2018 12:54:13 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754322#M8692 Marvin Rhoads 2018-11-28T12:54:13Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754327#M8693 Thanks Marvin,<BR /><BR />This is the only confusion i have if anyone maliciously attack on our trusted local Ntp server, So i could we save our trusted Ntp server.<BR /><BR />i am looking forward that best practice or workaround. Wed, 28 Nov 2018 13:02:47 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754327#M8693 Nishan Thevathason 2018-11-28T13:02:47Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754332#M8694 <P>Best practice varies according to your risk profile.</P> <P>&nbsp;</P> <P>Ultra secure is a dedicated NTP appliance with antenna to GPS satellites. They encode precise timing and a dedicate appliance can derive NTP from that.</P> <P>&nbsp;</P> <P>Anything Internet-based is less secure.</P> <P>&nbsp;</P> <P>The next most secure would be a hardened Linux server running minimal services.</P> <P>&nbsp;</P> <P>In the middle would be what many organizations do - distribute NTP from a core switch or other network device.</P> <P>&nbsp;</P> <P>Less (least?) secure would be running a Windows server with NTP server enabled.</P> <P>&nbsp;</P> <P>In all the Internet-based cases, if your trusted server is only configured to use a well-known (or few well-known) public ntp server(s) then your attack scenarios would have to be someone taking over thoise servers and targeting you (or the whole Internet) in an ntp-based attack. Most people would consider that a very unlikely scenario.</P> <P>&nbsp;</P> <P>You could further lock it down by doing only authenticated ntp, however you have to register or subscribe for such services.</P> Wed, 28 Nov 2018 13:15:02 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754332#M8694 Marvin Rhoads 2018-11-28T13:15:02Z https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754370#M8695 Thanks a lot Marvin. Wed, 28 Nov 2018 14:08:03 GMT https://community.cisco.com/t5/network-security/ntp-server-problem/m-p/3754370#M8695 Nishan Thevathason 2018-11-28T14:08:03Z