Solved

Wireless router and NTP access

Posted on 2011-09-08
14
440 Views
Last Modified: 2012-05-12
Ii have a Cisco E4200 Wireless router set up on our network to temporarily allow guest access. I configured the router for NTP and specified the NTP servers that I want the router to poll. Now when I look at our firewall I see traffic from the guest network from the router to multiple NTP servers over port 123.

If I specified the NTP servers to be used why would there be additional requests from my router to additional NTP servers?

Thanks.
0
Comment
Question by:snowmizer
  • 7
  • 5
  • 2
14 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 36503624
What leads you to believe it's sending additional requests? It is trying to contact ips or dns names you didnt' specify?
0
 

Author Comment

by:snowmizer
ID: 36503696
Yep. I see traffic in my firewall logs with my router as the source and various NTP servers as the destination. All traffic is on udp port 123.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36504339
Are the NTP servers you put in there using round-robin DNS?
0
 

Author Comment

by:snowmizer
ID: 36504375
I can't tell that because the NTP servers I am using are public NTP servers. How could round-robin DNS affect which NTP servers my router is accessing? Are you thinking that DNS is returning multiple NTP servers because of round-robin DNS? I've got the actual IP address configured in my NTP settings on my router so would round-robin DNS still play a role in this case?

Thanks.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36504423
Round-robin DNS would definitely produce the results you see.  If you have a hostname that resolves to 5 IP's, then you will hit different servers instead of just the same one over and over.

However!  If you have the IP addresses in your settings, then round-robin dns becomes a non-issue.

What do the log excerpts look like?  Paste if possible.
0
 

Author Comment

by:snowmizer
ID: 36504514
Sample logs (changes have been made to protect sensitive data):

Sep 08 2011 12:46:17 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34205 dst outinterface173.201.38.85/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:46:12 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34204 dst outinterface209.114.111.1/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:45:36 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34203 dst outinterface169.229.70.95/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:45:31 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34202 dst outinterface199.249.223.123/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:45:26 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34201 dst outinterface173.201.38.85/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:44:50 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34200 dst outinterface199.249.223.123/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:44:45 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34199 dst outinterface24.149.253.214/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:44:40 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34198 dst outinterface69.167.160.102/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:43:20 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34194 dst outinterface24.149.253.214/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:43:15 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34193 dst outinterface69.167.160.102/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36504841
If it's trying to hit those ip address then there still must be a setting enabled in addition to your server.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 26

Expert Comment

by:Soulja
ID: 36504918
Can you post a screen shot of where you are configuring this on the router. I do know that many soho routers only allow NTP through their wan ports. The servers you configured are on the LAN or WAN?
0
 

Author Comment

by:snowmizer
ID: 36504920
Hummm...I may have to pull the router and look at the config again. Is it possible for it to just use its own "default NTP" servers?
0
 

Author Comment

by:snowmizer
ID: 36504930
They are public NTP servers on the Internet...so WAN. I don't have access to the router currently because it's not plugged in. We only plug it in when we need it.
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 36504968
I bet it has it's own servers that coded in it to use. Cisco don't seem to say much about it for this model.
0
 

Author Comment

by:snowmizer
ID: 36505123
That's kind of where I was at....once you enable NTP it will try to go out and access the list it has no matter if you put in IP addresses or not. If I look for the addresses I put in the config I don't see any traffic from the router to my NTP IPs. So basically it's pointless to put in an IP in this case. :)

I had just set the firewall rules to allow only traffic from this router to this particular IP over ntp but may have to rethink that.

Thanks.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36505181
Yeah, you may just need to allow from that router to one or two of the ntps it's trying to hit.
0
 

Author Closing Comment

by:snowmizer
ID: 36511015
Thanks for all of the help. We decided how we were going to handle NTP from this router and have moved on.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now