I have a an ASA 5510, version 8.2(1) and I'm trying to get NTP from our Core Nexus 7K Switch through this to a Time Server on the Internet. This fails.

The ASA has three interfaces; Inside, Outside and Management. The 7K is behind the Management interface, this interface is configured so that it isn't management only. All other types of comms work through the Firewall OK but NTP fails. Heres how I prove it and the perplexing observation.

There are three rules on the Managment Interface:

1. Allow from 7K to target Time Server on UDP NTP
   
2. Allow from 7K to target Time Server on UDP TFTP
   
3. Allow from 7K to target Time Server on TCP Telnet
   

I have a NAT rule to translate the 7K to an external address.

I start a packet capture on the ASA from the Management interface to the Outside interface and filter on the target Time Server, when I try the three different forms of communication from the 7K I get the following results:

1. On the Management interface I can see the 7K original going to the Time Server on UDP NTP. On the Outside interface I see the 7K original going to the Time Server on UDP 123. Why isn't the 7K NAT'ed ??????
   
2. On the Management interface I can see the 7K original going to the Time Server on UDP TFTP. On the Outside interface I see the 7K NAT'ed going to the Time Server on UDP TFTP. Brilliant just what it should do.
   
3. On the Management interface I can see the 7K original going to the Time Server on TCP Telnet. On the Outside interface I see the 7K NAT'ed going to the Time Server on TCP Telnet. Brilliant just what it should do.
   

Why isn't the NTP getting NAT'ed ?????????

This is driving me crazy as the ASA is selectively not NATing the NTP packets.

Anyone got any idea why this isn't working?

Thanks,

Paul