NTP Pass through PIX525

Unanswered Question
Nov 3rd, 2008

We have servers which we want to get clocking info from public NTP servers on the net.

How do we configure our firewall to allow NTP traffic to pass through?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 11/03/2008 - 03:12

Are you restricting traffic on the inside interface of your pix ?

If so you will need to allow through requests to an NTP server

object-group network servers

network-object host

network-object host

object-group network NTP_servers

network-object host x.x.x.x

network-object host x.x.x.x

access-list inside_out permit udp object-group servers object-group NTP_servers eq 123

This will allow outbound requests to external NTP servers. The return packets should be allowed in because of the stateful nature of the pix (pseudo-stateful in terms of UDP).

If you are not restricting outbound access then you shouldn't need to do anything.

Note - the above assumes that you have all your NAT setup correctly.



This Discussion