×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NTP and ACL issues

Unanswered Question

Hello, I have a 7200 series router that I would like to have sync its time with a public NTP server. Time sync is actually working great. My problem is that when I run a port scanner I see that UDP 123 is in open state.


Here is my config regarding NTP. I would like UDP 123 to be closed. Is there a way to accomplish this?


access-list 1 permit 130.207.244.240

ntp access-group serve-only 1

ntp server 130.207.244.240


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
gfullage Mon, 03/10/2003 - 16:53
User Badges:
  • Cisco Employee,

If you configure NTP on teh router then it's going to open the port so that it'll listen to packets on it. The above config will ensure that if the router receives an NTP packet from anywhere else it'll drop it, but there's no way to actually only open the port for that IP address.


You could apply an inbound ACL on your outside interface that basically says:


> access-list 100 permit udp host 130.207.244.240 host eq 123

> access-list 100 deny udp any host eq 123

> access-list 100 permit ip any any


> int serial 0

> description Connection to Internet

> ip access-group 100 in


that'll ensure no-one else gets in, and would probably close the port off to scan's.


Also, be careful with UDP port scans, they're generally unreliable since there really is no connection in UDP, the port scan usually relies on receiving an ICMP Unreachable back, and if it doesn't it'll assume the port is open. If you have something that silently drops packets (like a PIX), they'll quite often show that every available UDP port is open, when in actual fact they're not.

Actions

This Discussion