Showing results for 
Search instead for 
Did you mean: 


ACLs for NTP and DNS

CiscoSupport.PNGHi everyone, I have a bunch of Cisco 4321 Routers that I want to configure ACL on but I am running into some difficulties.


I have an Internal Server connected to Router 3 that is using the Windows Time Service which acts as the NTP Server for the 3 Routers. I have configured it to obtain the NTP pool from the public network, specifically from the NTP Pool Project. This internal server uses the Web Server('s DNS Service.


On the Web Server connected to Router 1, I have a Webpage alongside DNS configured. This Web Server is in the DMZ that I will establish with ACLs.


I have an extended ACL configured on Router 1's G0/0/1's ingress interface. This ACL basically permits the public to access the Web Server and permits all established TCP traffic.


  • access-list 100 permit tcp any host eq 443 (SNAT is configured for Web Server)
  • access-list 100 permit tcp any any established


After configuring this ACL, my internal Server is unable to obtain the NTP pool from I assumed that this is because NTP uses a different port which is denied by my ACL. I then tried to permit NTP with the following command:


  • access-list 100 permit udp any host eq 123

This still did not work. At this point, I am wondering if it is because the ACL I implemented on R1 G0/0/1 Ingress is blocking something else. I am thinking that it has something to do with the ACL blocking DNS but I am not sure. Any help?



Marius Gunnerud
VIP Advisor

Is this a lab setup in or are you just simulating the issue in packet tracer?

Are you NATing traffic from the server so it reaches the internet?

Since it is which is initiating the NTP traffic here, the access list on Gig0/0/1 should reflect that the reply is coming with a source port of udp/123 and a destination port of any high random port.  Change your ACL to the following and test.

access-list 100 permit udp any eq 123 host


Please remember to select a correct answer and rate helpful posts