08-19-2013 11:31 PM - edited 03-11-2019 07:27 PM
Hi Gurus of Cisco
I want to synchronize my devices that are on the outside interface (please see the image bellow)
My Firewall has the following configuration:
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 181.66.39.100 255.255.255.128
!
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.8.101 255.255.255.0
!
My NTP server is 10.1.11.12 and is on the VLAN 11 (10.1.11.0/24) of my core Switch
From my core network I can reach the two devices that are outside the interface
CORE-SWITCH#ping 181.66.39.98 source vlan 11 repeat 20
Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 181.66.39.98, timeout is 2 seconds:
Packet sent with a source address of 10.1.11.3
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20), round-trip min/avg/max = 1/2/16 ms
CORE-SWITCH#
If run the ASDM tool "Packet tracer", select Interface "Inside", Packet Type "UDP", Source Address 10.1.11.12, Source Port NTP ---> Destination Address 181.66.39.98, Destination Port NTP ---> I can Reach,
packet-tracer input inside udp 10.1.11.12 ntp 181.66.39.98 ntp
The Result is:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
But in the other direction
packet-tracer input outside udp 181.66.39.98 ntp 10.1.11.12 ntp
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 2 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 2 (181.66.39.102)
translate_hits = 2129309899, untranslate_hits = 249021388
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
In base of line above detail?, what lines I must be add to my firewall configuration to synchronize my devices that are on the outside interface
Any comments or sugestion is welcome
08-20-2013 12:06 AM
NTP is typically used in a client/server-way where the two routers would be the client and the core-switch is the server. With that you have incoming connections from outside to inside. For that you not only need a permit-entry in your outside-ACL, but also a matching static-NAT-statement or a nat-excemption for that traffic.
The config could look like the folowing:
object-group network NTP-SERVER
network-object host 181.66.39.98
network-object host 181.66.39.99
!
access-list NAT-EXEMPT permit ip host 10.1.11.12 object-group NTP-SERVER
!
nat (inside) 0 access-list NAT-EXEMPT
Probably there is aready a NAT-exemption on your inide interface so that you have to add it to your actual config.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide