Solved: Thanks

lmartin80 · ‎03-13-2016

Hi,

I have a Cisco router that synchronizes with four public NTP servers:

ntp update-calendar
ntp server 0.pool.ntp.org
ntp server 1.pool.ntp.org
ntp server 2.pool.ntp.org
ntp server 3.pool.ntp.org

The router's NTP service is accessible from the Internet. I would like to disable this behavior. I would like the router's NTP service to be accessible from only the local network.

I tried creating an access list and applying it to the NTP service:

access-list 10 permit 10.0.0.0 0.0.0.255
ntp access-group serve-only 10

This configuration prevented access to the router's NTP service from the Internet, but it also prevented the router from synchronizing with the four public NTP servers.

Thanks

johnd2310 · ‎03-13-2016

Hi,

Try to use ones that are have fixed ip addresses. e.g nist ntp servers

http://tf.nist.gov/tf-cgi/servers.cgi

Thanks

John

**Please rate posts you find helpful**

View solution in original post

sachintambat · ‎03-13-2016

Try to Permit only these 4 NTP server ip only and then check.

lmartin80 · ‎03-13-2016

Thanks for the response

Is this correct?

access-list 20 permit 0.pool.ntp.org
access-list 20 permit 1.pool.ntp.org
access-list 20 permit 2.pool.ntp.org
access-list 20 permit 3.pool.ntp.org

How do I apply this access list to the NTP service?

johnd2310 · ‎03-13-2016

Hi,

Have you tried creating an access list on the external interface that denies ntp?

Thanks

John

**Please rate posts you find helpful**

lmartin80 · ‎03-13-2016

Hi,

Should the access list be inbound or outbond?

johnd2310 · ‎03-13-2016

Hi,

This depends on how your router is configured. Are you using NAT? Are you using zone-based firewall or Context based firewall? Do you currently have a access list on the external interface? What address are the ntp clients connecting to for ntp services.The access list would be inbound.

Thanks

John

**Please rate posts you find helpful**

lmartin80 · ‎03-13-2016

Hi,

I created this access list:

ip access-list extended Block-NTP
 deny   udp any any eq ntp
 permit ip any any

However, this access list prevents the router from synchronizing to external NTP servers:



interface GigabitEthernet8
 ip access-group Block-NTP in

johnd2310 · ‎03-13-2016

Hi,

You can permit the external ntp servers in your access list or configure the router to use nat for ntp traffic sourced from the router, if you are using nat.

thanks

John

**Please rate posts you find helpful**

lmartin80 · ‎03-13-2016

Hi,

I am using 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org and 3.pool.ntp.org as the NTP servers. The IP addresses of these servers are not fixed, they are randomly assigned depending on load and location</p>

johnd2310 · ‎03-13-2016

Hi,

Try to use ones that are have fixed ip addresses. e.g nist ntp servers

http://tf.nist.gov/tf-cgi/servers.cgi

Thanks

John

**Please rate posts you find helpful**

lmartin80 · ‎03-13-2016

Thanks

How to disable external access to Cisco IOS NTP service?