Thanks Rick that was helpful. I have three more questions.

1. When I use the web interface (I use both everytime I do something to become familiar with both) it has settings for key id and key value. What are these and are they needed for talking to a free internet server?

2. I would love to have two devices requesting time from an internet time server but I read somewhere that I will have to open port 123 incoming and forward it to the client. Is this true because I would only be able to do one then.

3. Is there anything special I need to do to make one of my devices requesting the time from the internet server a server itself for the rest of the clients?

William

1) NTP has an option to authenticate requests and responses between devices. You might use that option for NTP communication within your own network. The public NTP servers do not need this.

2) You will certainly need to allow port 123 (using the same port as source port and destination port) to go out through the firewall and to return through the firewall. Whether you need to forward it to a specific client is dependent on your local environment. Most of the customers I have dealt with just allow 123 through (or allow 123 to a couple of inside addresses if they really want to lock things down) but do not specifically forward the traffic.

3) There is not anything special you need to do. In the NTP protocol once a device has learned time from an authoritative source that device is able to offer time to other devices. So all you need to do is to configure a device (or several devices) to learn time from a server in the Internet and then configure other devices to use your first device as their NTP server. Note that routers and switches can be configured with more than one NTP server. If configured with more than one server the device will query all the servers configured, compare their responses, and choose one as the one it will base its time on. This provides for effective redundancy.

HTH

Rick

I thought you could only allow incoming ports to specific clients and not just allow a open port incoming. How does the firewall know where to send the application/port request to? Also do you know what the command on a PIX is to allow a open incoming port?

On the PIX you open a port by adding a permit statement to the inbound access list on the outside interface. There are choices to be made in configuring the access list: the source address could be a specific remote host, could be a remote network, could be any and the destination address could be a specific host, a subnet or network, or any. examples of various source would look like:

access-list acl_outside permit udp host 192.168.1.1 host 10.1.1.1 eq ntp

access-list acl_outside permit udp 192.168.0.0 255.255.0.0 host 10.1.1.1 eq ntp

access-list acl_outside permit udp any host 10.1.1.1 eq ntp

examples of various destination would look like:

access-list acl_outside permit udp 192.168.0.0 255.255.0.0 host 10.1.1.1 eq ntp

access-list acl_outside permit udp 192.168.0.0 255.255.0.0 10.1.1.0 255.255.255.0 eq ntp

access-list acl_outside permit udp 192.168.0.0 255.255.0.0 any eq ntp

HTH

Rick

I setup one of my switches to point to another switch but it states that clock is unsyncronized. I read somewhere that you must enter the NTP MASTER command when using a router. 3550's dont have this command so can they act as a ntp server?

William

In general a router or switch can act as an NTP server if it has authoritative time. It can get authoritative time either by learning time from an authoritative source or by using the command NTP master.

So it is not quite true that to act as an NTP server it must be configured with NTP master. I have lots of routers and switches which act as NTP servers but are not configured with NTP master.

I do not have enough experience with the 3550 to know if it can act as a server without an external source of authoritative time.

HTH

Rick