Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
4
Replies

Allowing NTP in through PIX

monkeyboy
Level 1
Level 1

‎09-27-2004 06:10 AM - edited ‎02-20-2020 11:39 PM

Apologies for my ignorance but is there any way of securing NTP coming in from an external public (ie: not owned by us) clock source into our internal network?

I presume we cannot use ntp authentication because the time source is not ours?

Or are you limited to the stateful nature of the firewall (ie internal host request for UDP port 123 thru the pix & reply) & is this inherently secure enough?

thanks in advance

Mark

0 Helpful
4 Replies 4

piseli
Level 1
Level 1

‎09-27-2004 10:29 AM

How about allowing incomming NTP traffic from a trusted NTP outside Server to a internal NTP Master ?

example:

access-list acl_outside permit udp host Trusted-NTP-Server-Public host MyPublicIP eq 123

access-group acl_outside in interface outside

static (inside,outside) udp MyPublicIP 123 NTP-Master-Private 123 netmask 255.255.255.255 0 0

In this example I use a port forwarding udp 123 to an internal private IP.

sincerly

Patrick

0 Helpful

monkeyboy
Level 1
Level 1
In response to piseli

‎09-28-2004 12:13 AM

Thanks Patrick - just one more question - what would be the command to put on the internal NTP master say my internal NTP master was a router?

I have tried:

ntp server x.x.x.x (external clock ip)

ntp master

This works but is does not show up as a hit in the pix ntp access-list.

Mark

0 Helpful

piseli
Level 1
Level 1
In response to monkeyboy

‎09-28-2004 07:46 AM

Should look something like this:

clock timezone EST -05

# set timezone

ntp authentication-key 1 md5 123456789012345678901234567890 7

ntp authenticate

ntp trusted-key 1

# Enables authentication with NTP public Server

ntp server PubIP-NTPServer1 prefer

ntp server PubIP-NTPServer2

# defines IP address of public NTP Servers

ntp master 10

ntp peer Your-Internal-NTP-server-IP-1

ntp peer Your-Internal-NTP-server-IP-2

ntp peer Your-Internal-NTP-server-IP-3

ntp max-associations 3

#Defines Ntp clients

interface serial 0/0

ntp enable

# enbles ntp traffic on outside interface

interface serial 0/1

ntp disable

# disables ntp traffic on this interface

interface ethernet 0/0

ntp enable

# enbles ntp traffic on internal interface

You also should define a access-list restrict NTP access.

Command Reference:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008017388f.html#wp1049846

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card