Cisco Support Community
Community Member

Does PIX support NTP...

If not, what is the best practice to allow NTP to synchronize with internal network devices from external sources?

All comment welcome... Thanks.


Re: Does PIX support NTP...

In version 6.2 I know the PIX supports ntp as a client but I don't think as a server (see NTP uses port 123. I believe the client starts the ntp connection with the ntp server, so the PIX can allow your internal clients to communicate with the NTP server without having to create an acl. If I am wrong, and you need an acl, put a server on the DMZ, sync with the internet NTP server that way, and allow your inside devices to sync with the DMZ ntp server.

Hope it helps.


Community Member

Re: Does PIX support NTP...

Thanks for the comment...

I am running version 5.3(6) and I now know that NTP is not supported under 6.1.

Do you have any recommendations for allowing the traffic thru from external to internal?

Re: Does PIX support NTP...

Be as specific as possible in the acl.


access-list 101 permit tcp host x.x.x.x host y.y.y.y eq 123 (x.x.x.x is the public ntp server and y.y.y.y is your ntp server)

static (inside, outside) y.y.y.y netmask

If you have any internal acls, only allow that internal ntp server to communicate with others via ntp, and lock that server down (not a server guy anymore so can't help with that). If it's a router, have an acl on it only allow the public ntp server to access it via ntp. Not much else you can do if you are stuck with direct external to internal.

Hope that's what you are looking for.


Community Member

Re: Does PIX support NTP...

Two comments:

An NTP client initiates all communications to servers and even to peers. There is no server push. If you are syncing to outside sources, you will only need an acl if you are restricing outbound traffic.

Most routine NTP traffic is UDP. Only some interactive traffic, like ntpq queries, are TCP, so you generally only have to allow UDP.


CreatePlease to create content