Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > allow NTP to synch through a PIX

Reply
Thread Tools

allow NTP to synch through a PIX

 
 
Tiaan van Aardt
Guest
Posts: n/a
 
      10-06-2006
Hi,

I have a client that has a PIX facing the internet. Internally, the
client has set up a DMZ and has allowed ssh access to a server. This
server also needs to sync to three external NTP time sources, but here
lies the problem:

The client has added the following rule for NTP:
---
access-list acl-dmz permit udp host xxx.yy.zzz.193 any eq ntp
---

This allows me to check the external NTP server using 'ntpq -p
<server>' but it does not allow ntpd to sync to the external source. On
one of the external sources I can see the request packets coming in and
an answer returned, but the answer never gets to the internal server.

The difference between ntpq and ntpd is that the former uses a source
port of >1024 and the latter always uses a source port of 123. Should
the client add any additional rules to make ntpd work?

Regards,
-Tiaan.

 
Reply With Quote
 
 
 
 
AM
Guest
Posts: n/a
 
      10-06-2006
Tiaan van Aardt wrote:
> Hi,
>
> I have a client that has a PIX facing the internet. Internally, the


Does "client" stand for "customer"?

> client has set up a DMZ and has allowed ssh access to a server. This
> server also needs to sync to three external NTP time sources, but here
> lies the problem:
>
> The client has added the following rule for NTP:
> ---
> access-list acl-dmz permit udp host xxx.yy.zzz.193 any eq ntp


This allows udp communication from any source port to 123 only.

> This allows me to check the external NTP server using 'ntpq -p
> <server>' but it does not allow ntpd to sync to the external source. On
> one of the external sources I can see the request packets coming in and
> an answer returned, but the answer never gets to the internal server.
>
> The difference between ntpq and ntpd is that the former uses a source
> port of >1024 and the latter always uses a source port of 123. Should
> the client add any additional rules to make ntpd work?


I don't think so because thye rule above includes also ntpq (I rely on what you say about ntpq behavior)

Anyway while trying to mae ntpq work, have alook at PIX logs. If something is denied it will tell you.

Alex
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
newbie: allow deny vs deny allow Jeff ASP .Net 2 09-19-2006 02:12 AM
How to config two Cisco PIX devices to allow multicast traffic through the VPN tuunel between the two. ashaffer@tranztec.com Cisco 1 03-03-2006 10:57 PM
ntp from ntp.org Scott Crabb Cisco 5 08-06-2004 09:30 PM
PIX 501 Firewall and NTP? Josh T Cisco 7 04-22-2004 06:27 PM
Pix 501, VPN and NTP Jyri Korhonen Cisco 1 02-10-2004 05:02 PM



Advertisments