Allowing NTP

Unanswered Question
Dec 12th, 2007
User Badges:

What would the access list look like to allow NTP? I tried this but doesn't seem to be working. I'm using for the time server.

access-list 151 permit udp host any eq ntp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Wed, 12/12/2007 - 10:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


The syntax of the access list looks ok - if the access list is applied inbound on the outward facing interface of your router or is applied outbound on the inward facing interface of your router.

You have the source address specified as the address of, the protocol is udp, and the destination port specified as ntp, so that part should work. I would guess that either the access list is not applied correctly or that there is some line further up in the access list that is preventing the traffic before it gets to this line.

And of course there are other possibilities such as the possibility that you might not have IP reachability to the address of or that there might be some firewall or something that is filtering the packet before it gets to the router where the access list is configured.



Also do a permit ACL for the NTP server itself.

ntp logging

ntp clock-period 17179889

ntp source int fa0/0

ntp access-group peer 15

ntp update-calendar

ntp server prefer

Access-list 15 permit

access-list 15 permit (ip address of fa0/0 or whatever your outside interface is)

access-list 15 deny any log

BTW this access list is different than the access list that is applied to the outside interface. That is why it is 15 and not 151.

guruprasadr Wed, 12/12/2007 - 20:51
User Badges:
  • Gold, 750 points or more


In addition to Rick comments:

Sample Configuration:


access-list 31 permit

access-list 31 permit

!! ACL permit Statement for NTP Server

ntp clock-period 17179923

ntp source GigabitEthernet0/1

!! Gig Eth 0/1 connected to LAN Backbone

ntp access-group peer 31

ntp server prefer

ntp server


Best Regards,

Guru Prasad R

alessandro.veras Wed, 12/12/2007 - 15:48
User Badges:


You can try a ping test on the time server.

And verify the protocols with the following commands:

show ntp associations

show ntp status

You can check too if the access-list configuration in the ntp configuration is mathing ( ntp access-group peer );


This Discussion