09-21-2015 08:01 AM - edited 03-12-2019 06:08 PM
We are running into an issue where where our Apple TVs are unable to set date/time after they are reset. They will try to go out to Apple time servers but from what I understand the Apple time servers will not accept NTP packets if the source port is not 123 or above 1024. Because we are using dynamic PAT the source port will only be 123 if it is not already in use.
Any ideas of how to force our ASA 8.4 to use a certain range of source ports for NTP traffic?
09-26-2015 03:59 AM
5. KNOWN WORK-AROUNDS:
Cisco ASA operating system version 8.4(2) supports the use of the “FLAT” configuration keyword. Using this keyword allows firewall administrators to change the default range in which port randomization occurs.
USE WITH NTP:
Use the “FLAT” keyword to change the NTP source port randomization range from 0-1023 to 1024-65535.
FURTHER READING:
http://www.netcraftsmen.com/dynamic-pat-cont-with-pools-flat-round-robin-and-extended-pat/
09-27-2015 07:23 AM
And for IOS NAT too
08-04-2016 03:09 AM
Hi,
thanks for the hint, but the solution is still unclear to me.
i have tried out the following, using IOS:
--
ip nat portmap NTP
appl udp-rtp startport 1024 size 1024
ip nat inside source list 1 interface Dialer0 overload portmap NTP
--
where Dialer 0 is my wan port.
in my understanding this should move all of the UDP connection to 1024 -> 2048 source port (ok, the number of open ports may change), but tcpdump on the destination host state something different:
10:04:29.450036 IP sourceip.123 > destip.123: NTPv4, Client, length 48
10:04:29.450129 IP destip.123 > sourceip.123: NTPv4, Server, length 48
See that 123 is still used.
i am checking also:
http://www.cisco.com/c/en/us/td/docs/ios/12_4t/ip_addr/configuration/guide/htpt4pat.html#wp1049437
without luck
any advice?
should this be done on the internal interface, in my case Vlan 1, Vlan 7, Vlan ...?
Thank you very much in advance,
Daniele
09-27-2015 11:39 AM
Hi,
If you are already aware of the ports that your internal device is going to use then you can create specific static nat for these ports and create dynamic NAT for rest of your internet traffic.
Refer : http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html
Hope it helps,
R.Seth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide