Showing results for 
Search instead for 
Did you mean: 

NTP - Configuration

Level 1
Level 1

Hi Gurus of Cisco

I want to synchronize my devices that are on the outside interface (please see the image bellow)

NTP Scenario.jpg

My Firewall has the following configuration:


interface GigabitEthernet0/0

nameif outside

security-level 0

ip address



interface GigabitEthernet0/1

nameif inside

security-level 100

ip address


My NTP server is and is on the VLAN 11 ( of my core Switch

From my core network I can reach the two devices that are outside the interface

CORE-SWITCH#ping source vlan 11 repeat 20

Type escape sequence to abort.

Sending 20, 100-byte ICMP Echos to, timeout is 2 seconds:

Packet sent with a source address of


Success rate is 100 percent (20/20), round-trip min/avg/max = 1/2/16 ms


If run the ASDM tool "Packet tracer", select Interface "Inside", Packet Type "UDP", Source Address, Source Port NTP ---> Destination Address, Destination Port NTP ---> I can Reach,

packet-tracer input inside udp ntp ntp

The Result is:


input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

But in the other direction

packet-tracer input outside udp ntp ntp

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP


nat (inside) 2

  match ip inside any outside any

    dynamic translation to pool 2 (

    translate_hits = 2129309899, untranslate_hits = 249021388

Additional Information:


input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

In base of line above detail?, what lines I must be add to my firewall configuration to synchronize my devices that are on the outside interface

Any comments or sugestion is welcome

1 Reply 1

NTP is typically used in a client/server-way where the two routers would be the client and the core-switch is the server. With that you have incoming connections from outside to inside. For that you not only need a permit-entry in your outside-ACL, but also a matching static-NAT-statement or a nat-excemption for that traffic.

The config could look like the folowing:

object-group network NTP-SERVER

  network-object host

  network-object host


access-list NAT-EXEMPT permit ip host object-group NTP-SERVER


nat (inside) 0 access-list NAT-EXEMPT

Probably there is aready a NAT-exemption on your inide interface so that you have to add it to your actual config.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card