NTP Through ASA 8.4 Issue

Unanswered Question
Jul 25th, 2012

Hi All,

I am having an issue getting NTP from an inside host to a host on the outside.

My inside host is on an RFC 1918 address and it has a static source NAT translation to a registered internet address to any destination. My inside source is sending the NTP packets out with a source port of UDP 123 and also a destination port of UDP 123

I have access list rules in place on the inside interface to permit the traffic and can see the counters increasing with each attempt from the inside host.

When I try to packet trace the connectivity on the ASA using asdm the flow seems OK, however the output interface is showing as unknown.

The relevant parts of my config are shown below :

nat (inside,outside) source static cucme_host voice_external

access-list inside-access-out extended permit udp object cucme_host object NTP-Server eq 123

All of my other services for this host are working fine, DNS, SIP, RTP, RTCP etc etc

Anyone got an insight into this, as I seem to be going round in circles.

Cheers

Steve

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Ramraj.Sivagnanam Wed, 07/25/2012 - 04:13

Hi Bro

I'm assuming from 10.1.5.1, you can PING to 81.168.77.149. I'm also assuming your FW rules are correctly done.

access-list inside permit tcp host 10.1.5.1 any eq 123

access-list inside permit udp host 10.1.5.1 any eq 123

access-list inside permit icmp host 10.1.5.1 host 81.168.77.149

In certain TCP peering, you'd need the TCP ports to be enabled as well. With this, all I can think of is the Public NTP Server 81.168.77.149 that you're pointing to could be the cause here. Have you tried pointing to other Public NTP Servers e.g. 211.233.40.78, 61.153.197.226 and 202.150.213.154?

P/S: If you think this comment is useful, please do rate them nicely :-)

steve_nelson Wed, 07/25/2012 - 05:41

Hi,

Thanks for the reply, all connectivity is fine and the router we are using as a client is sending UDP requests only.

I have managed to solve the unknown output issue, I was missing an ip verify reverse path interface outside command. So now the packet trace seems to work fine however my host on the inside will still not sync to the public server.

The public server I am using is :

ntp2.sandvika.net     194.164.127.6  Telehouse Europe, London E14 UK  NTP V4 secondary Sun UltraSPARC Solaris 8

Thanks

Steve

steve_nelson Wed, 07/25/2012 - 06:13

Update:

The ip verify reverse path interface outside command only appears to affect the first packet in the flow.

If I clear the connections, then try a packet trace the output is exactly what I expect, once the flow idles out the second flow come back with the unknown output interface as seen in the screenshot above.

Anyone got any further ideas ?

Thanks

Steve

nkarthikeyan Wed, 07/25/2012 - 08:10

Hi Steve,

Try with this command in your ASA.

ntp server x.x.x.x source inside or whichever interface initiating the traffic towards NTP.

Please do rate if the given information helps.

By

Karthik

Actions

Login or Register to take actions

This Discussion

Posted July 25, 2012 at 3:57 AM
Stats:
Replies:4 Avg. Rating:
Views:2946 Votes:0
Shares:0
Tags: ntp, asa, asa_8.4
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446