allow NTP to synch through a PIX

Discussion in 'Cisco' started by Tiaan van Aardt, Oct 6, 2006.

  1. Hi,

    I have a client that has a PIX facing the internet. Internally, the
    client has set up a DMZ and has allowed ssh access to a server. This
    server also needs to sync to three external NTP time sources, but here
    lies the problem:

    The client has added the following rule for NTP:
    ---
    access-list acl-dmz permit udp host xxx.yy.zzz.193 any eq ntp
    ---

    This allows me to check the external NTP server using 'ntpq -p
    <server>' but it does not allow ntpd to sync to the external source. On
    one of the external sources I can see the request packets coming in and
    an answer returned, but the answer never gets to the internal server.

    The difference between ntpq and ntpd is that the former uses a source
    port of >1024 and the latter always uses a source port of 123. Should
    the client add any additional rules to make ntpd work?

    Regards,
    -Tiaan.
     
    Tiaan van Aardt, Oct 6, 2006
    #1
    1. Advertising

  2. Tiaan van Aardt

    AM Guest

    Tiaan van Aardt wrote:
    > Hi,
    >
    > I have a client that has a PIX facing the internet. Internally, the


    Does "client" stand for "customer"?

    > client has set up a DMZ and has allowed ssh access to a server. This
    > server also needs to sync to three external NTP time sources, but here
    > lies the problem:
    >
    > The client has added the following rule for NTP:
    > ---
    > access-list acl-dmz permit udp host xxx.yy.zzz.193 any eq ntp


    This allows udp communication from any source port to 123 only.

    > This allows me to check the external NTP server using 'ntpq -p
    > <server>' but it does not allow ntpd to sync to the external source. On
    > one of the external sources I can see the request packets coming in and
    > an answer returned, but the answer never gets to the internal server.
    >
    > The difference between ntpq and ntpd is that the former uses a source
    > port of >1024 and the latter always uses a source port of 123. Should
    > the client add any additional rules to make ntpd work?


    I don't think so because thye rule above includes also ntpq (I rely on what you say about ntpq behavior)

    Anyway while trying to mae ntpq work, have alook at PIX logs. If something is denied it will tell you.

    Alex
     
    AM, Oct 6, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jyri Korhonen

    Pix 501, VPN and NTP

    Jyri Korhonen, Feb 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    763
    Walter Roberson
    Feb 10, 2004
  2. Josh T

    PIX 501 Firewall and NTP?

    Josh T, Apr 14, 2004, in forum: Cisco
    Replies:
    7
    Views:
    10,258
    Josh T
    Apr 22, 2004
  3. Scott Crabb

    ntp from ntp.org

    Scott Crabb, Aug 5, 2004, in forum: Cisco
    Replies:
    5
    Views:
    3,719
  4. Replies:
    1
    Views:
    2,411
  5. =?Utf-8?B?Z2VueHg=?=

    New D-Link router - won't allow me to connect through windows

    =?Utf-8?B?Z2VueHg=?=, Mar 7, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    3,563
    Jack \(MVP-Networking\).
    Mar 7, 2006
Loading...

Share This Page