Solved

Wireless router and NTP access

Posted on 2011-09-08
14
445 Views
Last Modified: 2012-05-12
Ii have a Cisco E4200 Wireless router set up on our network to temporarily allow guest access. I configured the router for NTP and specified the NTP servers that I want the router to poll. Now when I look at our firewall I see traffic from the guest network from the router to multiple NTP servers over port 123.

If I specified the NTP servers to be used why would there be additional requests from my router to additional NTP servers?

Thanks.
0
Comment
Question by:snowmizer
  • 7
  • 5
  • 2
14 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 36503624
What leads you to believe it's sending additional requests? It is trying to contact ips or dns names you didnt' specify?
0
 

Author Comment

by:snowmizer
ID: 36503696
Yep. I see traffic in my firewall logs with my router as the source and various NTP servers as the destination. All traffic is on udp port 123.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36504339
Are the NTP servers you put in there using round-robin DNS?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:snowmizer
ID: 36504375
I can't tell that because the NTP servers I am using are public NTP servers. How could round-robin DNS affect which NTP servers my router is accessing? Are you thinking that DNS is returning multiple NTP servers because of round-robin DNS? I've got the actual IP address configured in my NTP settings on my router so would round-robin DNS still play a role in this case?

Thanks.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36504423
Round-robin DNS would definitely produce the results you see.  If you have a hostname that resolves to 5 IP's, then you will hit different servers instead of just the same one over and over.

However!  If you have the IP addresses in your settings, then round-robin dns becomes a non-issue.

What do the log excerpts look like?  Paste if possible.
0
 

Author Comment

by:snowmizer
ID: 36504514
Sample logs (changes have been made to protect sensitive data):

Sep 08 2011 12:46:17 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34205 dst outinterface173.201.38.85/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:46:12 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34204 dst outinterface209.114.111.1/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:45:36 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34203 dst outinterface169.229.70.95/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:45:31 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34202 dst outinterface199.249.223.123/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:45:26 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34201 dst outinterface173.201.38.85/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:44:50 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34200 dst outinterface199.249.223.123/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:44:45 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34199 dst outinterface24.149.253.214/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:44:40 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34198 dst outinterface69.167.160.102/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:43:20 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34194 dst outinterface24.149.253.214/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
Sep 08 2011 12:43:15 DevName : %ASA-4-106023: Deny udp src Guests_Network:192.168.x.x/34193 dst outinterface69.167.160.102/123 by access-group "Guests_Network_ACL" [0x0, 0x0]
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36504841
If it's trying to hit those ip address then there still must be a setting enabled in addition to your server.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36504918
Can you post a screen shot of where you are configuring this on the router. I do know that many soho routers only allow NTP through their wan ports. The servers you configured are on the LAN or WAN?
0
 

Author Comment

by:snowmizer
ID: 36504920
Hummm...I may have to pull the router and look at the config again. Is it possible for it to just use its own "default NTP" servers?
0
 

Author Comment

by:snowmizer
ID: 36504930
They are public NTP servers on the Internet...so WAN. I don't have access to the router currently because it's not plugged in. We only plug it in when we need it.
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 36504968
I bet it has it's own servers that coded in it to use. Cisco don't seem to say much about it for this model.
0
 

Author Comment

by:snowmizer
ID: 36505123
That's kind of where I was at....once you enable NTP it will try to go out and access the list it has no matter if you put in IP addresses or not. If I look for the addresses I put in the config I don't see any traffic from the router to my NTP IPs. So basically it's pointless to put in an IP in this case. :)

I had just set the firewall rules to allow only traffic from this router to this particular IP over ntp but may have to rethink that.

Thanks.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36505181
Yeah, you may just need to allow from that router to one or two of the ntps it's trying to hit.
0
 

Author Closing Comment

by:snowmizer
ID: 36511015
Thanks for all of the help. We decided how we were going to handle NTP from this router and have moved on.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question