Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NTP through ASA

I am trying to setup NTP from a router that is behind an ASA. I am trying to sync it with time.nist.gov (UDP port 123). However, the "sh asso det" list the NIST server as "insane and invalid". The ASA does do a source NAT and also changes the source port. When I use my backup internet connection that is a DSL modem then NTP work fine, different NAT address. On the ASA, for NTP, the packets are getting NAT'ed and UDP session is built. After 2 minutes the session is tore down.

Here is the syslog message:

Built outbound UDP connection 186440 for ouside:216.229.0.179/123 (216.229.0.179/123) to inside:172.16.64.4/123(xx.xx.xxx.xxx/409)

I have forced the NAT so that the source port stays 123 after NAT but no change.

 

Appreciate any input.

  • Firewalling
1 REPLY
Hall of Fame Super Silver

NTP shouldn't care what your

NTP shouldn't care what your source port is, as long as the destination is udp/123.

Since it looks like the udp flow is being setup, I'd suspect something upstream isn't getting your packets to the destination NTP server.

102
Views
0
Helpful
1
Replies
This widget could not be displayed.