Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NTP Passthrough Pix 515e

Hi Folks:

We have a Pix 515e with an Access-Control-List set only on the outside interface. We want a Win2k3 server PDC to obtain time via an Internet time server and have set the Win2k3 server to do so. NTP packets are either not getting out through the Pix or not getting back in through the Pix. Debug on the inside interface shows NTP packets arriving when the Win2k3 Server attempts to synchronize time with an Internet Time Server; but Debug on the outside interface doesn't show time coming back. Anyway, since there's only an ACL on the outside interface, we're expecting all inbound-to-outbound-initiated "2-way conversations" to be allowed??? How should the Pix be setup so this will work?


Cisco Employee

Re: NTP Passthrough Pix 515e


Are you using PAT or Static NAT for the Win2K server when connecting to the NTP Server.

If PAT (nat/global) is used, then the PIX randomizes TCP and UDP sequence numbers and source port numbers when a connection is created. This is true for connections going out through PAT but not through NAT.

Since, NTP connection is made (always source and destination port is 123), if the connection is made using PAT, the source port is randomized and the NTP server might be expecting a connection coming with a source port of 123 and not the one randomized by the PIX.

So, if you are using PAT, NTP is not going to work in your case. You need to use a Static NAT, that is one-to-one mapping for the Win2K server.

I hope it helps.



Community Member

Re: NTP Passthrough Pix 515e

Well, this may be where I'm missing some understanding of how the Pix works. I'm expecting that since the server is sending the NTP time request that the Pix will automatically "retain" the fact that an NTP request went from an internal server to a specific Internet address on the outside and therefore when the Internet NTP server responds to the request, the Pix will automatically observe that a recent request went to the Internet from a specific local server and so the Pix will direct the request to that Server. What am I missing here about the way it actually workS?

Cisco Employee

Re: NTP Passthrough Pix 515e

Your understanding is correct. Since the traffic was initiated from a higher security interface to a lower security interface,

The Pix will retain the translation information and the return traffic will be directed to the w2k server.

But, the fact is, if you have configured the Pix to PAT the w2k server IP Address, then as per my previous post, Pix will translate the source port to something other than 123 and the NTP server on the internet will reject this request, since the NTP server expects a packet with source port 123.

BTW, have you configured the Pix for One to One Translation for the w2k server? and still having problems.

Let me know when you get a chance.



Community Member

Re: NTP Passthrough Pix 515e

Thanks for your help with this.

We have several one-to-one mappings; such as,

static (inside,outside) tcp www www netmask 0 0

and some of those static mappings do map to the server in question, just not for ntp. I did try temporarily try a static ntp mapping to another server with no success on the ntp reply.

CreatePlease to create content