Solved: How do I get an ASA to push out NTP, do I need to NAT/PAT ??

jimmycher · ‎09-21-2015

We have a custom device that can not be re-coded. It's IP is 10.10.161.146. It's host name is TOM.

TOM wants to grab the NTP data from his default Gateway, which is the ASA inside interface (10.10.161.1).

The ASA get's it's NTP from a router called CORE, (IP of 10.10.151.1).

Can I make the ASA an NTP server?

If not, how do I NAT/PAT the incoming request from TOM so that he gets good NTP.

(Tom is far away, and can not be reprogrammed)

Many thanks.

John Forester · ‎09-22-2015

Hi Jimmy,

Glad you got it working!!

If I am reading your statement correctly, it looks like you may have been using private IPs on your outside interface of your firewall? I have not done it this way in a lab. The NAT I used works when your outside interface is a public IP. I am currently using this NAT statement to get three different NTP server time sources.

To answer your question on the syntax I'll break it down the way I understand it, in three pieces:

nat (inside,outside) source static TOM interface (this portion identifies the inside zone as the originator of the request, and outside as the direction to send the request. The twice NAT uses a "real" and "mapped" IP, so this part of the statement says to convert the real IP of TOM to the outside interface's IP. It maps TOM to the outside IP address, so anything out on the Internet will think that your FW IP address is the originator, and not TOM's IP. The reason for this is because TOM is a private IP, not a public IP. The router will drop anything coming from a private IP as its default, and will only forward a private IP if specifically told to do so. (i.e. ip route statement)

destination static NTP-1 NTP-1 (this portion identifies the real and mapped destination IP. In my case, I looked up the IP addresses on the web and found three that replied to ping, and then set them up with their own NAT.)

service NTP NTP (this portion identifies the real and mapped ports. I set in the destination port as udp 123 for both real and mapped)

Hope this helps and congrats on getting it to work!

View solution in original post

John Forester · ‎09-21-2015

Hi Jimmy

As far as I know, the ASA cannot act as an NTP server, so you will need to have it do a NAT. There are several ways to get time into your network. You could do a NAT from anyone to get to the external time server - but I prefer "static twice NATs" myself. Just make sure you use object networks and services vs. group - groups don't work with static twice NATs:

Here is a NAT that changes TOM to the external interface IP (a public IP) and sends it to the NTP-1 source, using a service object called NTP

object network TOM

host 10.10.161.146

object network NTP-1

host 8.8.8.8

object service NTP

service destination udp eq 123

nat (inside,outside) source static TOM interface destination static NTP-1 NTP-1 service NTP NTP

As an aside note - what I did was point my inside Cisco switch to the NTP server only, and then made the switch be a time server (it can do this). This way, only my switch goes out for udp 123 for time, and all of the devices inside the firewall can go to it for time. You lose one stratum by doing this, but I like it because doing it this way prevents many devices going out of the firewall for time - you only have one device that goes out.

Here is the link I used about NATs for ASA - just scroll down to the static twice NAT area:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/firewall/asa-94-firewall-config/nat-basics.html#ID-2090-0000083f

Good Luck!

jimmycher · ‎09-21-2015

Thanks John,

I'm getting hits on the first half of the NAT statement:

"nat (inside,outside) source static TOM interface destination static interface any"

but when I enter the complete statement from above, I don't get any hits.

By the way, this is all be done in a lab, with a linux server running "ntpdate" continuously.

Also, I think you juxtaposed destination and udp in the command listed above:

service destination udp eq 123 (should be service udp destination eq 123) ?

Not sure what I'm missing?

jc

John Forester · ‎09-21-2015

Hi Jimmy,

Sorry about the error with the service line.

For the NAT you are running, I believe your "destination static interface any" may be incorrect. The first part of the NAT statement "nat (inside,outside) source static TOM interface" translates your real IP of TOM, to your outside interface's public IP address. The "destination static interface any" is trying to point to a real interface at the distant end, and then any mapped IP. If you build a NAT statement this way, it will not work correctly. Your destination part should be the same real, and mapped IP, hence why it is in twice on my line above. The only reason to change it would be to have a destination to a real IP on another firewall or router, and then a mapped IP behind it. This way will work and if that is what your are trying then you can do it this way - however, you will probably need a NAT at that destination to accept your udp request from your firewall's public IP as well.

Also if you do not specify a service, you will need to build an ACL allowing the private IP to the public NTP's IP, and specify in the ACL that udp 123 is allowed. The AACL would be applied to your inside group access list

Packet-tracer will tell you if the problem is an ACL that drops it, or the NAT. You are close to getting it working!!!

Hope this helps

jimmycher · ‎09-22-2015

Hi John,

I understand my "destination static interface any" is incorrect, but at least I'm getting hits on the NAT counter. When I specify object network NTP-1, I get zero hits on the NAT counter. This is true even if I don't specify the protocol.

Did you run this exact config in a lab? perhaps we forgot something?

If you would be kind enough to explain in simple terms the command:

nat (inside,outside) source static TOM interface destination static NTP-1 NTP-1 service NTP NTP

Also, you mentioned a different method, can you give that to me as well, and I'll run it by the lab.

Many, many thanks.

jimmycher · ‎09-22-2015

It looks like I got it to work; I had to create a loop back address on my Core router (which simulates the internet). It failed to work when I pointed the NAT to the outside address of the core router. Here is what I did:

nat (inside,outside) source static TOM interface destination static interface LOOPBACK5 service NTP NTP.

I haven't run that in a full mock up, do you think I missed something?

Thanks.

John Forester · ‎09-22-2015

Hi Jimmy,

Glad you got it working!!

If I am reading your statement correctly, it looks like you may have been using private IPs on your outside interface of your firewall? I have not done it this way in a lab. The NAT I used works when your outside interface is a public IP. I am currently using this NAT statement to get three different NTP server time sources.

To answer your question on the syntax I'll break it down the way I understand it, in three pieces:

nat (inside,outside) source static TOM interface (this portion identifies the inside zone as the originator of the request, and outside as the direction to send the request. The twice NAT uses a "real" and "mapped" IP, so this part of the statement says to convert the real IP of TOM to the outside interface's IP. It maps TOM to the outside IP address, so anything out on the Internet will think that your FW IP address is the originator, and not TOM's IP. The reason for this is because TOM is a private IP, not a public IP. The router will drop anything coming from a private IP as its default, and will only forward a private IP if specifically told to do so. (i.e. ip route statement)

destination static NTP-1 NTP-1 (this portion identifies the real and mapped destination IP. In my case, I looked up the IP addresses on the web and found three that replied to ping, and then set them up with their own NAT.)

service NTP NTP (this portion identifies the real and mapped ports. I set in the destination port as udp 123 for both real and mapped)

Hope this helps and congrats on getting it to work!

jimmycher · ‎09-22-2015

Thanks for timely and very informative reply. I now have a better understanding of the first part. The third part makes sense, NTP for both real and mapped. What I don't understand is the second part. When I copy your example, it fails. When I change the first LOOPBACK5 to interface, it works well.

nat (inside,outside) source static TOM interface destination static interface LOOPBACK5 service NTP NTP.

I think this will be okay, and not perturb the other NTP requests. Do you agree?

Dang if I can understand it though.

Thanks again.