cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
816
Views
0
Helpful
4
Replies

NTP Passthrough Pix 515e

ecnels
Level 1
Level 1

Hi Folks:

We have a Pix 515e with an Access-Control-List set only on the outside interface. We want a Win2k3 server PDC to obtain time via an Internet time server and have set the Win2k3 server to do so. NTP packets are either not getting out through the Pix or not getting back in through the Pix. Debug on the inside interface shows NTP packets arriving when the Win2k3 Server attempts to synchronize time with an Internet Time Server; but Debug on the outside interface doesn't show time coming back. Anyway, since there's only an ACL on the outside interface, we're expecting all inbound-to-outbound-initiated "2-way conversations" to be allowed??? How should the Pix be setup so this will work?

Thanks!

4 Replies 4

ajagadee
Cisco Employee
Cisco Employee

Hi,

Are you using PAT or Static NAT for the Win2K server when connecting to the NTP Server.

If PAT (nat/global) is used, then the PIX randomizes TCP and UDP sequence numbers and source port numbers when a connection is created. This is true for connections going out through PAT but not through NAT.

Since, NTP connection is made (always source and destination port is 123), if the connection is made using PAT, the source port is randomized and the NTP server might be expecting a connection coming with a source port of 123 and not the one randomized by the PIX.

So, if you are using PAT, NTP is not going to work in your case. You need to use a Static NAT, that is one-to-one mapping for the Win2K server.

I hope it helps.

Regards,

Arul

Well, this may be where I'm missing some understanding of how the Pix works. I'm expecting that since the server is sending the NTP time request that the Pix will automatically "retain" the fact that an NTP request went from an internal server to a specific Internet address on the outside and therefore when the Internet NTP server responds to the request, the Pix will automatically observe that a recent request went to the Internet from a specific local server and so the Pix will direct the request to that Server. What am I missing here about the way it actually workS?

Your understanding is correct. Since the traffic was initiated from a higher security interface to a lower security interface,

The Pix will retain the translation information and the return traffic will be directed to the w2k server.

But, the fact is, if you have configured the Pix to PAT the w2k server IP Address, then as per my previous post, Pix will translate the source port to something other than 123 and the NTP server on the internet will reject this request, since the NTP server expects a packet with source port 123.

BTW, have you configured the Pix for One to One Translation for the w2k server? and still having problems.

Let me know when you get a chance.

Regards,

Arul

Thanks for your help with this.

We have several one-to-one mappings; such as,

static (inside,outside) tcp aaa.aaa.aaa.aaa www xxx.xxx.xxx.xxx www netmask 255.255.255.255 0 0

and some of those static mappings do map to the server in question, just not for ntp. I did try temporarily try a static ntp mapping to another server with no success on the ntp reply.

Review Cisco Networking for a $25 gift card