Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NTP and ACL issues

Hello, I have a 7200 series router that I would like to have sync its time with a public NTP server. Time sync is actually working great. My problem is that when I run a port scanner I see that UDP 123 is in open state.

Here is my config regarding NTP. I would like UDP 123 to be closed. Is there a way to accomplish this?

access-list 1 permit 130.207.244.240

ntp access-group serve-only 1

ntp server 130.207.244.240

Thanks

1 REPLY
Cisco Employee

Re: NTP and ACL issues

If you configure NTP on teh router then it's going to open the port so that it'll listen to packets on it. The above config will ensure that if the router receives an NTP packet from anywhere else it'll drop it, but there's no way to actually only open the port for that IP address.

You could apply an inbound ACL on your outside interface that basically says:

> access-list 100 permit udp host 130.207.244.240 host eq 123

> access-list 100 deny udp any host eq 123

> access-list 100 permit ip any any

> int serial 0

> description Connection to Internet

> ip access-group 100 in

that'll ensure no-one else gets in, and would probably close the port off to scan's.

Also, be careful with UDP port scans, they're generally unreliable since there really is no connection in UDP, the port scan usually relies on receiving an ICMP Unreachable back, and if it doesn't it'll assume the port is open. If you have something that silently drops packets (like a PIX), they'll quite often show that every available UDP port is open, when in actual fact they're not.

516
Views
1
Helpful
1
Replies
CreatePlease to create content