12-12-2007 10:34 AM - edited 03-03-2019 07:54 PM
What would the access list look like to allow NTP? I tried this but doesn't seem to be working. I'm using time.nist.gov for the time server.
access-list 151 permit udp host 192.43.244.18 any eq ntp
12-12-2007 10:45 AM
Paul
The syntax of the access list looks ok - if the access list is applied inbound on the outward facing interface of your router or is applied outbound on the inward facing interface of your router.
You have the source address specified as the address of time.nist.gov, the protocol is udp, and the destination port specified as ntp, so that part should work. I would guess that either the access list is not applied correctly or that there is some line further up in the access list that is preventing the traffic before it gets to this line.
And of course there are other possibilities such as the possibility that you might not have IP reachability to the address of time.nist.gov or that there might be some firewall or something that is filtering the packet before it gets to the router where the access list is configured.
HTH
Rick
12-12-2007 02:59 PM
Also do a permit ACL for the NTP server itself.
ntp logging
ntp clock-period 17179889
ntp source int fa0/0
ntp access-group peer 15
ntp update-calendar
ntp server 192.43.244.18 prefer
Access-list 15 permit 192.43.244.18
access-list 15 permit 192.168.1.1 (ip address of fa0/0 or whatever your outside interface is)
access-list 15 deny any log
BTW this access list is different than the access list that is applied to the outside interface. That is why it is 15 and not 151.
12-12-2007 08:51 PM
HI, [Do Rate all HELPFUL POSTS]
In addition to Rick comments:
Sample Configuration:
-------------------------
access-list 31 permit xxx.xxx.xxx.xxx
access-list 31 permit xxx.xxx.xxx.xxx
!! ACL permit Statement for NTP Server
ntp clock-period 17179923
ntp source GigabitEthernet0/1
!! Gig Eth 0/1 connected to LAN Backbone
ntp access-group peer 31
ntp server xxx.xxx.xxx.xxx prefer
ntp server xxx.xxx.xxx.xxx
Do RATE ALL HELPFUL POSTS
Best Regards,
Guru Prasad R
12-12-2007 03:48 PM
Hi,
You can try a ping test on the time server.
And verify the protocols with the following commands:
show ntp associations
show ntp status
You can check too if the access-list configuration in the ntp configuration is mathing ( ntp access-group peer );
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide