Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
0
Helpful
1
Replies

NTP - Configuration

a.guillen
Level 1
Level 1

‎08-19-2013 11:31 PM - edited ‎03-11-2019 07:27 PM

Hi Gurus of Cisco

I want to synchronize my devices that are on the outside interface (please see the image bellow)

NTP Scenario.jpg

My Firewall has the following configuration:

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 181.66.39.100 255.255.255.128

!

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.8.101 255.255.255.0

!

My NTP server is 10.1.11.12 and is on the VLAN 11 (10.1.11.0/24) of my core Switch

From my core network I can reach the two devices that are outside the interface

CORE-SWITCH#ping 181.66.39.98 source vlan 11 repeat 20

Type escape sequence to abort.

Sending 20, 100-byte ICMP Echos to 181.66.39.98, timeout is 2 seconds:

Packet sent with a source address of 10.1.11.3

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (20/20), round-trip min/avg/max = 1/2/16 ms

CORE-SWITCH#

If run the ASDM tool "Packet tracer", select Interface "Inside", Packet Type "UDP", Source Address 10.1.11.12, Source Port NTP ---> Destination Address 181.66.39.98, Destination Port NTP ---> I can Reach,

packet-tracer input inside udp 10.1.11.12 ntp 181.66.39.98 ntp

The Result is:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

But in the other direction

packet-tracer input outside udp 181.66.39.98 ntp 10.1.11.12 ntp

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 2 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 2 (181.66.39.102)

    translate_hits = 2129309899, untranslate_hits = 249021388

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

In base of line above detail?, what lines I must be add to my firewall configuration to synchronize my devices that are on the outside interface


Any comments or sugestion is welcome

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎08-20-2013 12:06 AM

NTP is typically used in a client/server-way where the two routers would be the client and the core-switch is the server. With that you have incoming connections from outside to inside. For that you not only need a permit-entry in your outside-ACL, but also a matching static-NAT-statement or a nat-excemption for that traffic.

The config could look like the folowing:

object-group network NTP-SERVER

  network-object host 181.66.39.98

  network-object host 181.66.39.99

!

access-list NAT-EXEMPT permit ip host 10.1.11.12 object-group NTP-SERVER

!

nat (inside) 0 access-list NAT-EXEMPT

Probably there is aready a NAT-exemption on your inide interface so that you have to add it to your actual config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card