Solved

how to create an access-list to allow ntp

Posted on 2014-09-21
14
644 Views
Last Modified: 2014-10-09
hi I have an asa5505 connected to my cisco2950 and currently my master dc/ad/dhcp/dns has internet access.

qns1.  I wish to know the correct way of allowing access to an external ntp  ?

I am not sure of how to create an access-list or if an access-group should be used, in-conjunction with my current config.
0
Comment
Question by:mikey250
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40335850
0
 
LVL 13

Accepted Solution

by:
Natty Greg earned 250 total points
ID: 40335935
Use the config below to set the time and date, microsoft provides good ntp server google it, and use the non authenticated config to connect to it. ( no microsoft will not provide you with auth but there servers are reliable)
(remember this will be the weakest point in your secure network)


Configure Clock Settings:

To configure the clock settings of the ASA appliance, use the clock set command as shown below:

ciscoasa# clock set hh:mm:ss [day month | month day] year

Example:

ciscoasa# clock set 18:30:00 Apr 10 2009

To verify the correct clock on the appliance, use the show clock command.

Configure Time Zone and Daylight Saving Time:

To configure the time zone and the summer daylight saving time use the commands below:

ciscoasa# config t
ciscoasa(config)# clock timezone [zone name] [offset hours from UTC]
ciscoasa(config)# clock summer-time [zone name] recurring [week weekday month hh:mm week weekday month hh:mm] [offset]

Example:

ciscoasa(config)# clock timezone MST -7
ciscoasa(config)# clock summer-time MST recurring 1 Sunday April 2:00 last Sunday October 2:00

Configure Network Time Protocol (NTP):

If there is an NTP server in the network that provides accurate clock settings, then you can configure the firewall to synchronize its time with the NTP server. Both an authenticated and non-authenticated NTP is supported:

Non-Authenticated NTP:

ciscoasa(config)# ntp server [ip address of NTP] source [interface name]

Example:

ciscoasa(config)# ntp server 10.1.23.45 source inside

Authenticated NTP:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key [key ID] md5 [ntp key]
ciscoasa(config)# ntp trusted-key [key ID]
ciscoasa(config)# ntp server [ip address of NTP] key [key ID] source [intf name]

Example:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key 32 md5 secretkey1234
ciscoasa(config)# ntp trusted-key 32
ciscoasa(config)# ntp server 10.1.2.3 key 32 source inside
0
 

Author Comment

by:mikey250
ID: 40339097
hi nattygreg, thanks for your input but yes I have pretty much that config already put to one side.

what I wanted to do was ensure ntp configured on my asa5505 was configured in an 'access-group 1st and then an 'access-list' created and then pointed to an outside ntp free device so I wanted to know how to do this first and the wait for a response so I know it is working before ensure my master dc can sync to an external ntp also.

I am currently trying to put together an access-group & access-list that allows this but not sure if I have it correct yet.  currently I have created an 'allow_icmp' for inbound via a youtube video.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:mikey250
ID: 40339113
I was thinking something like below that allows me to ping my public ntp server as below and then do: sh ntp status - for example... my network is disconnected at the moment

config t
ntp server 93.93.131.217 source outside

object network outside_subnet
object network inside_subnet
  subnet 192.168.0.0 255.255.255.0
object-group icmp-type allow-icmp
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object unreachable
 icmp-object traceroute

access-list INBOUND extended permit icmp any any object-group ALLOW-ICMP
access-list outbound extended permit udp any any eq ntp
0
 

Author Comment

by:mikey250
ID: 40339140
& the below to allow my single master dc to keep ntp clock timing with the below:

access-list outbound extended permit udp host 192.168.1.1 any eq 123 or ntp (not sure)
access-group outbound in interface inside
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 40347602
If you already have an outbound access list that only allows certain hosts out on certain ports, then yes you need the outbound acl
Access-list outbound permit udp host 192.168.1.1 any eq 123

If you do not currently have an outbound acl applied, then don't do this. You will block everything else.

You dont need the inbound ace because if the packet is allowed out, the response is automatically allowed back in.
0
 

Author Comment

by:mikey250
ID: 40347766
hi I have since set asa5505 back to factory default settings.

I have now only added:

access-list outbound extended permit udp any any eq ntp

ntp server 93.93.131.217 source outside
0
 

Author Comment

by:mikey250
ID: 40347769
I can ping 8.8.8.8 successful

I cannot yet ping 93.93.131.217 - but I realise it may take a long time to allow

I am not sure if my acl above is all that is needed  ?
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40348085
Could it be that the IP you are trying to ping does not accept ping request?
0
 

Author Comment

by:mikey250
ID: 40348308
hi mohammed, yes I realise if I cannot ping the ip address: 93.93.131.217 then it may not be accepting ping requests.

I have also read the below url regarding also microsofts free timer server:

http://www.techrepublic.com/article/synchronize-a-cisco-routers-clock-with-network-time-protocol-ntp/

via my standalone win 7 desktop which is plugged directly into my virgin media box I carried out the below:

ping time-nw.nist.gov - failed ping
ping 131.107.1.10 - failed ping
ping 131.107.1.100 - failed ping
0
 

Author Comment

by:mikey250
ID: 40348412
I have been looking at links like this but nothing seems to ping and not even sure if I need to register.

http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
0
 

Author Closing Comment

by:mikey250
ID: 40371494
good advice appreciated.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question