Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
852
Views
0
Helpful
4
Replies

Does PIX support NTP...

mowtnman
Level 1
Level 1

‎09-26-2002 09:49 AM - edited ‎02-20-2020 10:16 PM

If not, what is the best practice to allow NTP to synchronize with internal network devices from external sources?

All comment welcome... Thanks.

0 Helpful
4 Replies 4

steve.barlow
Level 7
Level 7

‎09-26-2002 10:24 AM

In version 6.2 I know the PIX supports ntp as a client but I don't think as a server (see http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#xtocid7). NTP uses port 123. I believe the client starts the ntp connection with the ntp server, so the PIX can allow your internal clients to communicate with the NTP server without having to create an acl. If I am wrong, and you need an acl, put a server on the DMZ, sync with the internet NTP server that way, and allow your inside devices to sync with the DMZ ntp server.

Hope it helps.

Steve

0 Helpful

mowtnman
Level 1
Level 1
In response to steve.barlow

‎09-26-2002 10:36 AM

Thanks for the comment...

I am running version 5.3(6) and I now know that NTP is not supported under 6.1.

Do you have any recommendations for allowing the traffic thru from external to internal?

0 Helpful

steve.barlow
Level 7
Level 7
In response to mowtnman

‎09-26-2002 11:37 AM

Be as specific as possible in the acl.

eg.

access-list 101 permit tcp host x.x.x.x host y.y.y.y eq 123 (x.x.x.x is the public ntp server and y.y.y.y is your ntp server)

static (inside, outside) y.y.y.y 10.10.10.10 netmask 255.255.255.255

If you have any internal acls, only allow that internal ntp server to communicate with others via ntp, and lock that server down (not a server guy anymore so can't help with that). If it's a router, have an acl on it only allow the public ntp server to access it via ntp. Not much else you can do if you are stuck with direct external to internal.

Hope that's what you are looking for.

Steve

0 Helpful

ggersch
Level 1
Level 1
In response to steve.barlow

‎09-27-2002 02:16 PM

Two comments:

An NTP client initiates all communications to servers and even to peers. There is no server push. If you are syncing to outside sources, you will only need an acl if you are restricing outbound traffic.

Most routine NTP traffic is UDP. Only some interactive traffic, like ntpq queries, are TCP, so you generally only have to allow UDP.

Greg

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card