Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NTP - Configuration

Hi Gurus of Cisco

I want to synchronize my devices that are on the outside interface (please see the image bellow)

NTP Scenario.jpg

My Firewall has the following configuration:

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 181.66.39.100 255.255.255.128

!

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.8.101 255.255.255.0

!

My NTP server is 10.1.11.12 and is on the VLAN 11 (10.1.11.0/24) of my core Switch

From my core network I can reach the two devices that are outside the interface

CORE-SWITCH#ping 181.66.39.98 source vlan 11 repeat 20

Type escape sequence to abort.

Sending 20, 100-byte ICMP Echos to 181.66.39.98, timeout is 2 seconds:

Packet sent with a source address of 10.1.11.3

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (20/20), round-trip min/avg/max = 1/2/16 ms

CORE-SWITCH#

If run the ASDM tool "Packet tracer", select Interface "Inside", Packet Type "UDP", Source Address 10.1.11.12, Source Port NTP ---> Destination Address 181.66.39.98, Destination Port NTP ---> I can Reach,

packet-tracer input inside udp 10.1.11.12 ntp 181.66.39.98 ntp

The Result is:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

But in the other direction

packet-tracer input outside udp 181.66.39.98 ntp 10.1.11.12 ntp

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 2 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 2 (181.66.39.102)

    translate_hits = 2129309899, untranslate_hits = 249021388

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

In base of line above detail?, what lines I must be add to my firewall configuration to synchronize my devices that are on the outside interface


Any comments or sugestion is welcome

1 REPLY
VIP Purple

Re: NTP - Configuration

NTP is typically used in a client/server-way where the two routers would be the client and the core-switch is the server. With that you have incoming connections from outside to inside. For that you not only need a permit-entry in your outside-ACL, but also a matching static-NAT-statement or a nat-excemption for that traffic.

The config could look like the folowing:

object-group network NTP-SERVER

  network-object host 181.66.39.98

  network-object host 181.66.39.99

!

access-list NAT-EXEMPT permit ip host 10.1.11.12 object-group NTP-SERVER

!

nat (inside) 0 access-list NAT-EXEMPT

Probably there is aready a NAT-exemption on your inide interface so that you have to add it to your actual config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
122
Views
0
Helpful
1
Replies
CreatePlease login to create content