01-12-2004
05:43 PM
- last edited on
02-21-2020
11:14 PM
by
cc_security_adm
Hi,
I am trying to setup a PIX (v6.3.3) to allow an internal host (Windows Server 2003 DC) to get its time from an NTP server on the Internet.
Sorry for all the questions...
1) I am confused because I thought the PIX allowed any connection originating from the inside. Based on that, why would I have to open UDP port 123?
2) What kind of vulnerabilities would "opening UDP port 123" to the outside world introduce to the LAN or internal host?
3) What is the process to get this accomplished if I am using PAT (one public IP address)? ie. port redirection, access-list?
Thanks
01-13-2004 05:02 AM
Hi,
The following document might be of use for setting up NTP access on PIX:
Thanks - Jay.
01-13-2004 05:06 AM
Thanks Jay. I am familiar with this document however it describes a scenario that does not match my setup.
I have a simple one internal LAN with an NTP client inside and a PIX. My NTP client can not sync with NTP servers on the outside.
01-13-2004 05:17 AM
Pierre,
Okay,If you ever have connection problems through the PIX, the best bet to troubleshoot it is to turn on syslogging, the PIX will tell you exactly what's going wrong then. Do the following:
logging on
logging buffer debug
sho logging
*To diable logging issue: no logging on*
Can you post the result from the above and we take it from there.
Thanks, Jay - If you wish post direct to me : jmia@ohgroup.co.uk
01-20-2004 07:51 PM
Thanks Jay. I learned that NTP servers need to initiate UDP connections with their clients. Therefore, a regular xlate from inside will not work. So, since the PIX uses PAT with a single public IP address, I setup port forwarding for UDP port 123 with a static and access-list and my internal client immediately started to sync with the NTP server on the Internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide