Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NTP Configuration on IDS4215

Hi,

I am new to the IDS environment, we are planing to configure a NTP server on the IDS 4215 box.

I have a completed command set for the same as mentioned below.

sensor# configure terminal

sensor(config)# service host

sensor(config-hos)# ntp-option enable

sensor(config-hos-ena)# ntp-servers ip_address key-id key_ID

now the problem for me is i don't have the Key-id & Key-value for my ntp server.

Can some one help me configue NTP with out the key-id information.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: NTP Configuration on IDS4215

Unfortunately 5.1(8)E3 is pretty old and doesn't support unauthenticated ntp.

The 5.1 train has been End Of Saled, and is quickly approaching End Of Life/ End Of Signature Support:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps2113/end_of_life_notice_c51-468830.html

Last date for Signatures for the 5.1 version is Oct 24th of this year.

So you only have around 4 months left before you would be forced to upgrade to 6.0 in order to continue getting signature updates.

The 4215 is also End Of Saled, but it's End Of Signature Support is not until July 29th 2011.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps5367/end_of_life_notice_for_cisco_ids_4215_sensor.html

Version 6.0 is the last version to support the IDS-4215, so Signature Updates for 6.0 for the IDS-4215 will continue until at least July 29th 2011.

So if you upgrade to 6.0 now, you will still have 2 more years of signature updates before you need to purchase a new sensor.

The 6.0(5)E3 version does support the unauthenticated ntp option.

So you will want to plan an upgrade to 6.0 sometime in the next 4 months.

In the meantime you will need to use key authenticated ntp.

If you have access to a router you could try using the router as a temporary inbetween server.

The router would be configured to get its time for your existing ntp server. Talk to your network administrator on how to set this up.

Then configure the router to also be an ntp server with an authenitcated key.

Here is a section of the CLI Guide explaining how to setup the router as a key authenticated ntp server:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1035649

The sensor would be configured to use the router as the ntp server using that key.

This would be a temporary workaround until you can get upgraded to 6.0.

4 REPLIES
Cisco Employee

Re: NTP Configuration on IDS4215

What sensor version are you running?

Older sensor versions will require you to setup keys for your ntp server. You would need to work with your network administrator that setup the ntp server to see if keys have already been created that you can use, or if new keys would need to be created.

NEWER sensor versions, however, provide a new configuration option:

sensor(config-hos)# ntp-option enabled-ntp-unauthenticated

This new unauthenticated option only requires the ntp server IP and works with ntp servers that allow unauthenticated access (which is the most common deployment)

Community Member

Re: NTP Configuration on IDS4215

Hi,

Thanks for your quick response.

below is the version we are running on the box.

Cisco Intrusion Prevention System, Version 5.1(8)E3

unfortunate thing i am not finding that command syntax my IOS code.

Any alternate for my existing code

Cisco Employee

Re: NTP Configuration on IDS4215

Unfortunately 5.1(8)E3 is pretty old and doesn't support unauthenticated ntp.

The 5.1 train has been End Of Saled, and is quickly approaching End Of Life/ End Of Signature Support:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps2113/end_of_life_notice_c51-468830.html

Last date for Signatures for the 5.1 version is Oct 24th of this year.

So you only have around 4 months left before you would be forced to upgrade to 6.0 in order to continue getting signature updates.

The 4215 is also End Of Saled, but it's End Of Signature Support is not until July 29th 2011.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps5367/end_of_life_notice_for_cisco_ids_4215_sensor.html

Version 6.0 is the last version to support the IDS-4215, so Signature Updates for 6.0 for the IDS-4215 will continue until at least July 29th 2011.

So if you upgrade to 6.0 now, you will still have 2 more years of signature updates before you need to purchase a new sensor.

The 6.0(5)E3 version does support the unauthenticated ntp option.

So you will want to plan an upgrade to 6.0 sometime in the next 4 months.

In the meantime you will need to use key authenticated ntp.

If you have access to a router you could try using the router as a temporary inbetween server.

The router would be configured to get its time for your existing ntp server. Talk to your network administrator on how to set this up.

Then configure the router to also be an ntp server with an authenitcated key.

Here is a section of the CLI Guide explaining how to setup the router as a key authenticated ntp server:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1035649

The sensor would be configured to use the router as the ntp server using that key.

This would be a temporary workaround until you can get upgraded to 6.0.

Community Member

Re: NTP Configuration on IDS4215

Awesome,

Thanks for all your support.

257
Views
0
Helpful
4
Replies
CreatePlease to create content