Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4219
Views
0
Helpful
6
Replies

Opening UDP port 123

chrishall
Level 1
Level 1

‎07-06-2004 07:17 AM - edited ‎03-09-2019 07:58 AM

Good morning,

I've been having problems with external NTP time servers not responding, causing time sync problems in our network. Can someone tell me the best way to handle allowing traffic on UDP port 123?

Labels:
0 Helpful
6 Replies 6

jmia
Level 7
Level 7

‎07-06-2004 07:42 AM

Hi,

Here is a good explanation on how to setup NTP on PIX, I was actually looking for somthing else on NTP and PIX when I came across this post on the net.

Basically say for example my Linux box is 10.0.1.9 then I have the following as part of an access list definition :-

access-list inside_access_in permit tcp host 10.0.1.9 any eq ntp

And then I use 'access-group' to bind this to the incoming data going to the internal interface (i.e data from the internal machines going to the PIX). The default configuration of the PIX is to permit all outbound data but I always limit access to stop people running p2p software for example.

This allows the Linux machne to send NTP traffic out to the Internet and get replies. I then have the following in the PIX configuration to tell it to use the Linux box as the NTP server:-

ntp server 10.0.1.9 source inside prefer

Remember to issue clear xlate and save with write mem.

Hope this helps and let me know if you need further help.

Jay

0 Helpful

chrishall
Level 1
Level 1
In response to jmia

‎07-06-2004 11:10 AM

Jay,

Thanks for your reply. Does it matter that we use private ip address internally and NAT at the f/w? It looks like we have some conduit statements that use our public addresses.

0 Helpful

mostiguy
Level 6
Level 6
In response to chrishall

‎07-06-2004 12:24 PM

NTP should be able to go out across your firewall just like HTTP requests do. Can you crank up NTP logging to make certain that those servers *ever* respond, as some publically listed NTP servers are dormant.

For a bank, you could also kick around just buying a hardware clock.

0 Helpful

chrishall
Level 1
Level 1
In response to mostiguy

‎07-07-2004 10:23 AM

I'm not familiar with a hardware clock, outside of the obvious internal clock on all PCs. I also talked to my hardware reseller and she's not familiar with it either. What's a hardware clock?

0 Helpful

mostiguy
Level 6
Level 6
In response to chrishall

‎07-07-2004 12:14 PM

http://www.franklinclock.com/gps.htm

This type of thing. Not a recommendation, just the first example google kicked up.

http://www.boulder.nist.gov/timefreq/general/receiverlist.htm

appears to be a NIST list of vendors

0 Helpful

chrishall
Level 1
Level 1
In response to mostiguy

‎07-08-2004 04:30 AM

Thanks for the info. At this point, I don't think it's a problem with the firewall blocking any ports, as this hasn't been a problem in the past and at some point the time does get corrected. So, thanks everyone for your posts.

0 Helpful
Customers Also Viewed These Support Documents