Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing NTP

What would the access list look like to allow NTP? I tried this but doesn't seem to be working. I'm using time.nist.gov for the time server.

access-list 151 permit udp host 192.43.244.18 any eq ntp

4 REPLIES
Hall of Fame Super Silver

Re: Allowing NTP

Paul

The syntax of the access list looks ok - if the access list is applied inbound on the outward facing interface of your router or is applied outbound on the inward facing interface of your router.

You have the source address specified as the address of time.nist.gov, the protocol is udp, and the destination port specified as ntp, so that part should work. I would guess that either the access list is not applied correctly or that there is some line further up in the access list that is preventing the traffic before it gets to this line.

And of course there are other possibilities such as the possibility that you might not have IP reachability to the address of time.nist.gov or that there might be some firewall or something that is filtering the packet before it gets to the router where the access list is configured.

HTH

Rick

New Member

Re: Allowing NTP

Also do a permit ACL for the NTP server itself.

ntp logging

ntp clock-period 17179889

ntp source int fa0/0

ntp access-group peer 15

ntp update-calendar

ntp server 192.43.244.18 prefer

Access-list 15 permit 192.43.244.18

access-list 15 permit 192.168.1.1 (ip address of fa0/0 or whatever your outside interface is)

access-list 15 deny any log

BTW this access list is different than the access list that is applied to the outside interface. That is why it is 15 and not 151.

Re: Allowing NTP

HI, [Do Rate all HELPFUL POSTS]

In addition to Rick comments:

Sample Configuration:

-------------------------

access-list 31 permit xxx.xxx.xxx.xxx

access-list 31 permit xxx.xxx.xxx.xxx

!! ACL permit Statement for NTP Server

ntp clock-period 17179923

ntp source GigabitEthernet0/1

!! Gig Eth 0/1 connected to LAN Backbone

ntp access-group peer 31

ntp server xxx.xxx.xxx.xxx prefer

ntp server xxx.xxx.xxx.xxx

Do RATE ALL HELPFUL POSTS

Best Regards,

Guru Prasad R

New Member

Re: Allowing NTP

Hi,

You can try a ping test on the time server.

And verify the protocols with the following commands:

show ntp associations

show ntp status

You can check too if the access-list configuration in the ntp configuration is mathing ( ntp access-group peer );

5842
Views
0
Helpful
4
Replies
CreatePlease login to create content