Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15502
Views
0
Helpful
4
Replies

Allowing NTP

dexteroc1
Level 1
Level 1

‎12-12-2007 10:34 AM - edited ‎03-03-2019 07:54 PM

What would the access list look like to allow NTP? I tried this but doesn't seem to be working. I'm using time.nist.gov for the time server.

access-list 151 permit udp host 192.43.244.18 any eq ntp

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎12-12-2007 10:45 AM

Paul

The syntax of the access list looks ok - if the access list is applied inbound on the outward facing interface of your router or is applied outbound on the inward facing interface of your router.

You have the source address specified as the address of time.nist.gov, the protocol is udp, and the destination port specified as ntp, so that part should work. I would guess that either the access list is not applied correctly or that there is some line further up in the access list that is preventing the traffic before it gets to this line.

And of course there are other possibilities such as the possibility that you might not have IP reachability to the address of time.nist.gov or that there might be some firewall or something that is filtering the packet before it gets to the router where the access list is configured.

HTH

Rick

HTH

Rick
0 Helpful

richf
Level 1
Level 1

‎12-12-2007 02:59 PM

Also do a permit ACL for the NTP server itself.

ntp logging

ntp clock-period 17179889

ntp source int fa0/0

ntp access-group peer 15

ntp update-calendar

ntp server 192.43.244.18 prefer

Access-list 15 permit 192.43.244.18

access-list 15 permit 192.168.1.1 (ip address of fa0/0 or whatever your outside interface is)

access-list 15 deny any log

BTW this access list is different than the access list that is applied to the outside interface. That is why it is 15 and not 151.

0 Helpful

guruprasadr
Level 7
Level 7
In response to richf

‎12-12-2007 08:51 PM

HI, [Do Rate all HELPFUL POSTS]

In addition to Rick comments:

Sample Configuration:

-------------------------

access-list 31 permit xxx.xxx.xxx.xxx

access-list 31 permit xxx.xxx.xxx.xxx

!! ACL permit Statement for NTP Server

ntp clock-period 17179923

ntp source GigabitEthernet0/1

!! Gig Eth 0/1 connected to LAN Backbone

ntp access-group peer 31

ntp server xxx.xxx.xxx.xxx prefer

ntp server xxx.xxx.xxx.xxx

Do RATE ALL HELPFUL POSTS

Best Regards,

Guru Prasad R

0 Helpful

Alessandro Veras
Level 1
Level 1

‎12-12-2007 03:48 PM

Hi,

You can try a ping test on the time server.

And verify the protocols with the following commands:

show ntp associations

show ntp status

You can check too if the access-list configuration in the ntp configuration is mathing ( ntp access-group peer );

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card