02-17-2016 03:00 PM
Hi,
I own a Cisco 877.
I have several ntpd (isc implementation, http://www.ntp.org), in LAN.
More than one server (at least 2 by design) connect to internet to sync the date.
ntp daemon have 2 limitations:
1) when it tries to connect to a remote server, it always do with source port 123/udp
2) as server, only accept connections from source port 123/udp or >=1024/udp
Almost all of the ntp server in internet make use of this implementation.
http://bugs.ntp.org/show_bug.cgi?id=2174
https://groups.google.com/forum/#!msg/comp.protocols.time.ntp/hpAHNwrFvAM/eLIUuXPQJDAJ
The topic now is that 877 tries to check if the source port used by application is available.
If yes, it use it (so the first ntp client will connect with source 123/udp)
if it is in use, 877 take the first free port in the following pool:
--
Note: For Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), the ranges are: 1-511, 512-1023, 1024-65535. For Internet Control Message Protocol (ICMP), the first group starts at 0.
--
Ref: http://www.cisco.com/c/en/us/products/collateral/security/ios-network-address-translation-nat/prod_qas0900aecd801ba55a.html
So, i need to find out a solution, otherwise the ntp daemon will never work.
i have found:
https://www.reddit.com/r/Cisco/comments/2u8eem/is_it_possible_to_restrict_nat_outside_port_range/
But this solution is really not clean and not working for me. when i add
ip nat inside source static udp 127.0.0.1 222 80.68.188.228 222
in the configuration, arp from cisco will try to take the ownership of any server i try to connect in lan with port 222, even if tcp.
I have tried then:
http://www.cisco.com/c/en/us/td/docs/ios/12_4t/ip_addr/configuration/guide/htpt4pat.html
but i am not reaching a configuration working as well.
More generally, how can i say to cisco to change the port group range and use only >1024?
Thanks,
Daniele
02-18-2016 01:33 AM
I don't believe you will get this to work. You can enable NTP on the 877, since it has a public IP address on it, and then sync your internal NTP servers against that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide