Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
5
Helpful
3
Replies

Configuring CISCO ASA Application Layer Protocol Inspection

Go to solution
johnmathewhere
Level 1
Level 1

‎12-17-2014 10:40 PM - edited ‎03-11-2019 10:14 PM

 

While configuring a DNS Inspection Policy Map, To match a specific flag that is set in the DNS header, the following command can be used:

hostname(config-cmap)# match [not] header-flag [eq] {f_well_known | f_value}

 

I want to configure NTP Inspection Policy Map. My aim is to drop all Mode-6 and Mode-7 NTP Packets that arrive at the firewall.

Which command can be used to match a specific flag that is set in the NTP Header ?.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to johnmathewhere

‎12-18-2014 01:19 AM

Before configuring NTP on the client, you should set the clock manually to a time that is very close to the time on the NTP-server. Just remember that the timezone is not communicated in NTP and has to be set individually.

For the rest: What system are you talking about? Can't be an ASA as there is no ntpd or ntpdate. All is configured with "ntp ...".

And the ASA only has an ntp-client, but can't act as an ntp-server. An IOS-device can be ntp-client and ntp-server at the same time.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎12-18-2014 12:23 AM

There is no NTP-inspection engine in the ASA. Have a look at the following list for the supported inspections:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/inspect-overview.html

You have to look for a solution outside of the ASA. Do you have an IOS-router in front of your ASA? Perhaps Flexible packet matching could help you with that.

Go to solution
johnmathewhere
Level 1
Level 1
In response to Karsten Iwen

‎12-18-2014 12:59 AM

To protect from the security issues that occur while opening port 123 for NTP , I have tried to configure NTP Client on the CISCO ASA Firewall. I have tried to synchronize the NTP Client time with an outside NTP Server. But the synchronization is not taking place due to large time difference between NTP Client and NTP Server.

To make the time difference less, I have to use the ntpd or ntpdate commands in the NTP running on the firewall. Is there any way to execute those commands in firewall ?.

Also is it possible to use the same NTP Client running on the firewall as an NTP server, from which other internal systems can synchronize their time ?.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to johnmathewhere

‎12-18-2014 01:19 AM

Before configuring NTP on the client, you should set the clock manually to a time that is very close to the time on the NTP-server. Just remember that the timezone is not communicated in NTP and has to be set individually.

For the rest: What system are you talking about? Can't be an ASA as there is no ntpd or ntpdate. All is configured with "ntp ...".

And the ASA only has an ntp-client, but can't act as an ntp-server. An IOS-device can be ntp-client and ntp-server at the same time.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card