cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1611
Views
0
Helpful
2
Replies
Beginner

NTP Request Through ASA Not Being Nat'ed And Therefore Failing!

I have a an ASA 5510, version 8.2(1) and I'm trying to get NTP from our Core Nexus 7K Switch through this to a Time Server on the Internet. This fails.

The ASA has three interfaces; Inside, Outside and Management. The 7K is behind the Management interface, this interface is configured so that it isn't management only. All other types of comms work through the Firewall OK but NTP fails. Heres how I prove it and the perplexing observation.

There are three rules on the Managment Interface:

  1. Allow from 7K to target Time Server on UDP NTP
  2. Allow from 7K to target Time Server on UDP TFTP
  3. Allow from 7K to target Time Server on TCP Telnet

I have a NAT rule to translate the 7K to an external address.

I start a packet capture on the ASA from the Management interface to the Outside interface and filter on the target Time Server, when I try the three different forms of communication from the 7K I get the following results:

  1. On the Management interface I can see the 7K original going to the Time Server on UDP NTP. On the Outside interface I see the 7K original going to the Time Server on UDP 123. Why isn't the 7K NAT'ed ??????
  2. On the Management interface I can see the 7K original going to the Time Server on UDP TFTP. On the Outside interface I see the 7K NAT'ed going to the Time Server on UDP TFTP. Brilliant just what it should do.
  3. On the Management interface I can see the 7K original going to the Time Server on TCP Telnet. On the Outside interface I see the 7K NAT'ed going to the Time Server on TCP Telnet. Brilliant just what it should do.

Why isn't the NTP getting NAT'ed ?????????

This is driving me crazy as the ASA is selectively not NATing the NTP packets.

Anyone got any idea why this isn't working?

Thanks,

Paul

Everyone's tags (8)
2 REPLIES 2
Highlighted
VIP Mentor

Re: NTP Request Through ASA Not Being Nat'ed And Therefore Faili

Is NTP really using the same source-IP as Telnet and TFTP?


Sent from Cisco Technical Support iPad App

Highlighted
Beginner

NTP Request Through ASA Not Being Nat'ed And Therefore Failing!

Yes the NTP, Telnet and TFTP are all from the same source address, thats why it is so crazy. Completely frustrating and driving me mad. The ASA is selectively not translating the NTP packets!!!!!!!