I am trying to setup NTP from a router that is behind an ASA. I am trying to sync it with time.nist.gov (UDP port 123). However, the "sh asso det" list the NIST server as "insane and invalid". The ASA does do a source NAT and also changes the source port. When I use my backup internet connection that is a DSL modem then NTP work fine, different NAT address. On the ASA, for NTP, the packets are getting NAT'ed and UDP session is built. After 2 minutes the session is tore down.
Here is the syslog message:
Built outbound UDP connection 186440 for ouside:184.108.40.206/123 (220.127.116.11/123) to inside:172.16.64.4/123(xx.xx.xxx.xxx/409)
I have forced the NAT so that the source port stays 123 after NAT but no change.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...