We have a Pix 515e with an Access-Control-List set only on the outside interface. We want a Win2k3 server PDC to obtain time via an Internet time server and have set the Win2k3 server to do so. NTP packets are either not getting out through the Pix or not getting back in through the Pix. Debug on the inside interface shows NTP packets arriving when the Win2k3 Server attempts to synchronize time with an Internet Time Server; but Debug on the outside interface doesn't show time coming back. Anyway, since there's only an ACL on the outside interface, we're expecting all inbound-to-outbound-initiated "2-way conversations" to be allowed??? How should the Pix be setup so this will work?
Are you using PAT or Static NAT for the Win2K server when connecting to the NTP Server.
If PAT (nat/global) is used, then the PIX randomizes TCP and UDP sequence numbers and source port numbers when a connection is created. This is true for connections going out through PAT but not through NAT.
Since, NTP connection is made (always source and destination port is 123), if the connection is made using PAT, the source port is randomized and the NTP server might be expecting a connection coming with a source port of 123 and not the one randomized by the PIX.
So, if you are using PAT, NTP is not going to work in your case. You need to use a Static NAT, that is one-to-one mapping for the Win2K server.
Well, this may be where I'm missing some understanding of how the Pix works. I'm expecting that since the server is sending the NTP time request that the Pix will automatically "retain" the fact that an NTP request went from an internal server to a specific Internet address on the outside and therefore when the Internet NTP server responds to the request, the Pix will automatically observe that a recent request went to the Internet from a specific local server and so the Pix will direct the request to that Server. What am I missing here about the way it actually workS?
Your understanding is correct. Since the traffic was initiated from a higher security interface to a lower security interface,
The Pix will retain the translation information and the return traffic will be directed to the w2k server.
But, the fact is, if you have configured the Pix to PAT the w2k server IP Address, then as per my previous post, Pix will translate the source port to something other than 123 and the NTP server on the internet will reject this request, since the NTP server expects a packet with source port 123.
BTW, have you configured the Pix for One to One Translation for the w2k server? and still having problems.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...