I have an Internal Server connected to Router 3 that is using the Windows Time Service which acts as the NTP Server for the 3 Routers. I have configured it to obtain the NTP pool from the public network, specifically 0.sg.pool.ntp.org from the NTP Pool Project. This internal server uses the Web Server(10.0.2.6)'s DNS Service.
On the Web Server connected to Router 1, I have a Webpage alongside DNS configured. This Web Server is in the DMZ that I will establish with ACLs.
I have an extended ACL configured on Router 1's G0/0/1's ingress interface. This ACL basically permits the public to access the Web Server and permits all established TCP traffic.
- access-list 100 permit tcp any host 200.0.0.2 eq 443 (SNAT is configured for Web Server)
- access-list 100 permit tcp any any established
After configuring this ACL, my internal Server is unable to obtain the NTP pool from 0.sg.pool.ntp.org. I assumed that this is because NTP uses a different port which is denied by my ACL. I then tried to permit NTP with the following command:
- access-list 100 permit udp any host 10.0.2.2 eq 123
This still did not work. At this point, I am wondering if it is because the ACL I implemented on R1 G0/0/1 Ingress is blocking something else. I am thinking that it has something to do with the ACL blocking DNS but I am not sure. Any help?
