Allowing NTP

Unanswered Question
Dec 12th, 2007

What would the access list look like to allow NTP? I tried this but doesn't seem to be working. I'm using time.nist.gov for the time server.


access-list 151 permit udp host 192.43.244.18 any eq ntp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 12/12/2007 - 10:45

Paul


The syntax of the access list looks ok - if the access list is applied inbound on the outward facing interface of your router or is applied outbound on the inward facing interface of your router.


You have the source address specified as the address of time.nist.gov, the protocol is udp, and the destination port specified as ntp, so that part should work. I would guess that either the access list is not applied correctly or that there is some line further up in the access list that is preventing the traffic before it gets to this line.


And of course there are other possibilities such as the possibility that you might not have IP reachability to the address of time.nist.gov or that there might be some firewall or something that is filtering the packet before it gets to the router where the access list is configured.


HTH


Rick

Also do a permit ACL for the NTP server itself.


ntp logging

ntp clock-period 17179889

ntp source int fa0/0

ntp access-group peer 15

ntp update-calendar

ntp server 192.43.244.18 prefer


Access-list 15 permit 192.43.244.18

access-list 15 permit 192.168.1.1 (ip address of fa0/0 or whatever your outside interface is)

access-list 15 deny any log


BTW this access list is different than the access list that is applied to the outside interface. That is why it is 15 and not 151.



guruprasadr Wed, 12/12/2007 - 20:51

HI, [Do Rate all HELPFUL POSTS]


In addition to Rick comments:


Sample Configuration:

-------------------------

access-list 31 permit xxx.xxx.xxx.xxx

access-list 31 permit xxx.xxx.xxx.xxx

!! ACL permit Statement for NTP Server


ntp clock-period 17179923

ntp source GigabitEthernet0/1

!! Gig Eth 0/1 connected to LAN Backbone

ntp access-group peer 31

ntp server xxx.xxx.xxx.xxx prefer

ntp server xxx.xxx.xxx.xxx


Do RATE ALL HELPFUL POSTS


Best Regards,


Guru Prasad R

alessandro.veras Wed, 12/12/2007 - 15:48

Hi,

You can try a ping test on the time server.

And verify the protocols with the following commands:

show ntp associations

show ntp status

You can check too if the access-list configuration in the ntp configuration is mathing ( ntp access-group peer );


Actions

This Discussion