Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
0
Helpful
1
Replies

NTP through ASA

agoraya
Level 1
Level 1

‎05-06-2014 09:23 AM - edited ‎03-11-2019 09:09 PM

I am trying to setup NTP from a router that is behind an ASA. I am trying to sync it with time.nist.gov (UDP port 123). However, the "sh asso det" list the NIST server as "insane and invalid". The ASA does do a source NAT and also changes the source port. When I use my backup internet connection that is a DSL modem then NTP work fine, different NAT address. On the ASA, for NTP, the packets are getting NAT'ed and UDP session is built. After 2 minutes the session is tore down.

Here is the syslog message:

Built outbound UDP connection 186440 for ouside:216.229.0.179/123 (216.229.0.179/123) to inside:172.16.64.4/123(xx.xx.xxx.xxx/409)

I have forced the NAT so that the source port stays 123 after NAT but no change.

 

Appreciate any input.

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-06-2014 10:54 AM

NTP shouldn't care what your source port is, as long as the destination is udp/123.

Since it looks like the udp flow is being setup, I'd suspect something upstream isn't getting your packets to the destination NTP server.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card