mikey250
asked on
how to create an access-list to allow ntp
hi I have an asa5505 connected to my cisco2950 and currently my master dc/ad/dhcp/dns has internet access.
qns1. I wish to know the correct way of allowing access to an external ntp ?
I am not sure of how to create an access-list or if an access-group should be used, in-conjunction with my current config.
qns1. I wish to know the correct way of allowing access to an external ntp ?
I am not sure of how to create an access-list or if an access-group should be used, in-conjunction with my current config.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi nattygreg, thanks for your input but yes I have pretty much that config already put to one side.
what I wanted to do was ensure ntp configured on my asa5505 was configured in an 'access-group 1st and then an 'access-list' created and then pointed to an outside ntp free device so I wanted to know how to do this first and the wait for a response so I know it is working before ensure my master dc can sync to an external ntp also.
I am currently trying to put together an access-group & access-list that allows this but not sure if I have it correct yet. currently I have created an 'allow_icmp' for inbound via a youtube video.
what I wanted to do was ensure ntp configured on my asa5505 was configured in an 'access-group 1st and then an 'access-list' created and then pointed to an outside ntp free device so I wanted to know how to do this first and the wait for a response so I know it is working before ensure my master dc can sync to an external ntp also.
I am currently trying to put together an access-group & access-list that allows this but not sure if I have it correct yet. currently I have created an 'allow_icmp' for inbound via a youtube video.
ASKER
I was thinking something like below that allows me to ping my public ntp server as below and then do: sh ntp status - for example... my network is disconnected at the moment
config t
ntp server 93.93.131.217 source outside
object network outside_subnet
object network inside_subnet
subnet 192.168.0.0 255.255.255.0
object-group icmp-type allow-icmp
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object traceroute
access-list INBOUND extended permit icmp any any object-group ALLOW-ICMP
access-list outbound extended permit udp any any eq ntp
config t
ntp server 93.93.131.217 source outside
object network outside_subnet
object network inside_subnet
subnet 192.168.0.0 255.255.255.0
object-group icmp-type allow-icmp
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object traceroute
access-list INBOUND extended permit icmp any any object-group ALLOW-ICMP
access-list outbound extended permit udp any any eq ntp
ASKER
& the below to allow my single master dc to keep ntp clock timing with the below:
access-list outbound extended permit udp host 192.168.1.1 any eq 123 or ntp (not sure)
access-group outbound in interface inside
access-list outbound extended permit udp host 192.168.1.1 any eq 123 or ntp (not sure)
access-group outbound in interface inside
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi I have since set asa5505 back to factory default settings.
I have now only added:
access-list outbound extended permit udp any any eq ntp
ntp server 93.93.131.217 source outside
I have now only added:
access-list outbound extended permit udp any any eq ntp
ntp server 93.93.131.217 source outside
ASKER
I can ping 8.8.8.8 successful
I cannot yet ping 93.93.131.217 - but I realise it may take a long time to allow
I am not sure if my acl above is all that is needed ?
I cannot yet ping 93.93.131.217 - but I realise it may take a long time to allow
I am not sure if my acl above is all that is needed ?
Could it be that the IP you are trying to ping does not accept ping request?
ASKER
hi mohammed, yes I realise if I cannot ping the ip address: 93.93.131.217 then it may not be accepting ping requests.
I have also read the below url regarding also microsofts free timer server:
http://www.techrepublic.com/article/synchronize-a-cisco-routers-clock-with-network-time-protocol-ntp/
via my standalone win 7 desktop which is plugged directly into my virgin media box I carried out the below:
ping time-nw.nist.gov - failed ping
ping 131.107.1.10 - failed ping
ping 131.107.1.100 - failed ping
I have also read the below url regarding also microsofts free timer server:
http://www.techrepublic.com/article/synchronize-a-cisco-routers-clock-with-network-time-protocol-ntp/
via my standalone win 7 desktop which is plugged directly into my virgin media box I carried out the below:
ping time-nw.nist.gov - failed ping
ping 131.107.1.10 - failed ping
ping 131.107.1.100 - failed ping
ASKER
I have been looking at links like this but nothing seems to ping and not even sure if I need to register.
http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
ASKER
good advice appreciated.
https://www.experts-exchange.com/questions/24791068/Recommendation-steps-NTP-access-through-Cisco-ASA-firewall.html