cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
532
Views
0
Helpful
1
Replies

NTP through ASA

agoraya
Level 1
Level 1

I am trying to setup NTP from a router that is behind an ASA. I am trying to sync it with time.nist.gov (UDP port 123). However, the "sh asso det" list the NIST server as "insane and invalid". The ASA does do a source NAT and also changes the source port. When I use my backup internet connection that is a DSL modem then NTP work fine, different NAT address. On the ASA, for NTP, the packets are getting NAT'ed and UDP session is built. After 2 minutes the session is tore down.

Here is the syslog message:

Built outbound UDP connection 186440 for ouside:216.229.0.179/123 (216.229.0.179/123) to inside:172.16.64.4/123(xx.xx.xxx.xxx/409)

I have forced the NAT so that the source port stays 123 after NAT but no change.

 

Appreciate any input.

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

NTP shouldn't care what your source port is, as long as the destination is udp/123.

Since it looks like the udp flow is being setup, I'd suspect something upstream isn't getting your packets to the destination NTP server.

Review Cisco Networking for a $25 gift card