Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

NTP/SNTP Through PIX

Hi,

I am trying to setup a PIX (v6.3.3) to allow an internal host (Windows Server 2003 DC) to get its time from an NTP server on the Internet.

Sorry for all the questions...

1) I am confused because I thought the PIX allowed any connection originating from the inside. Based on that, why would I have to open UDP port 123?

2) What kind of vulnerabilities would "opening UDP port 123" to the outside world introduce to the LAN or internal host?

3) What is the process to get this accomplished if I am using PAT (one public IP address)? ie. port redirection, access-list?

Thanks

4 REPLIES
Gold

Re: NTP/SNTP Through PIX

Hi,

The following document might be of use for setting up NTP access on PIX:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801d449c.shtml

Thanks - Jay.

Community Member

Re: NTP/SNTP Through PIX

Thanks Jay. I am familiar with this document however it describes a scenario that does not match my setup.

I have a simple one internal LAN with an NTP client inside and a PIX. My NTP client can not sync with NTP servers on the outside.

Gold

Re: NTP/SNTP Through PIX

Pierre,

Okay,If you ever have connection problems through the PIX, the best bet to troubleshoot it is to turn on syslogging, the PIX will tell you exactly what's going wrong then. Do the following:

logging on

logging buffer debug

sho logging

*To diable logging issue: no logging on*

Can you post the result from the above and we take it from there.

Thanks, Jay - If you wish post direct to me : jmia@ohgroup.co.uk

Community Member

Re: NTP/SNTP Through PIX

Thanks Jay. I learned that NTP servers need to initiate UDP connections with their clients. Therefore, a regular xlate from inside will not work. So, since the PIX uses PAT with a single public IP address, I setup port forwarding for UDP port 123 with a static and access-list and my internal client immediately started to sync with the NTP server on the Internet.

241
Views
0
Helpful
4
Replies
CreatePlease to create content