Hi,

I own a Cisco 877.

I have several ntpd (isc implementation, http://www.ntp.org), in LAN.

More than one server (at least 2 by design) connect to internet to sync the date.

ntp daemon have 2 limitations:
1) when it tries to connect to a remote server, it always do with source port 123/udp
2) as server, only accept connections from source port 123/udp or >=1024/udp

Almost all of the ntp server in internet make use of this implementation.
http://bugs.ntp.org/show_bug.cgi?id=2174
https://groups.google.com/forum/#!msg/comp.protocols.time.ntp/hpAHNwrFvAM/eLIUuXPQJDAJ

The topic now is that 877 tries to check if the source port used by application is available.
If yes, it use it (so the first ntp client will connect with source 123/udp)
if it is in use, 877 take the first free port in the following pool:
--
Note: For Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), the ranges are: 1-511, 512-1023, 1024-65535. For Internet Control Message Protocol (ICMP), the first group starts at 0.
--
Ref: http://www.cisco.com/c/en/us/products/collateral/security/ios-network-address-translation-nat/prod_qas0900aecd801ba55a.html

So, i need to find out a solution, otherwise the ntp daemon will never work.

i have found:
https://www.reddit.com/r/Cisco/comments/2u8eem/is_it_possible_to_restrict_nat_outside_port_range/

But this solution is really not clean and not working for me. when i add

ip nat inside source static udp 127.0.0.1 222 80.68.188.228 222

in the configuration, arp from cisco will try to take the ownership of any server i try to connect in lan with port 222, even if tcp.

I have tried then:
http://www.cisco.com/c/en/us/td/docs/ios/12_4t/ip_addr/configuration/guide/htpt4pat.html
but i am not reaching a configuration working as well.

More generally, how can i say to cisco to change the port group range and use only >1024?

Thanks,

Daniele