Solved

where to find a free external ntp

Posted on 2014-09-28
17
302 Views
Last Modified: 2014-10-03
qns1.  hi I am looking on various site and I cannot seem to find a free external ntp site or one that I can ping, so does anyone know where I can find one to connect my asa5505 to  ?

http://www.techrepublic.com/article/how-do-i-make-sure-security-logs-exhibit-accurate-time-with-ntp/
http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
0
Comment
Question by:mikey250
  • 11
  • 6
17 Comments
 
LVL 10

Accepted Solution

by:
Ganesh Kumar A earned 500 total points
ID: 40348416
0
 

Author Comment

by:mikey250
ID: 40348419
hi ganesh,  all I wish to do is link my asa5505 firewall to a free ntp service so I just expected to add an ip address from ..http://www.pool.ntp.org/en/  - or do I need to join first  ?

yes I found this link below, earlier but I could not ping anything and not sure if I had to register as I do not have a reliable time source as I wish to sync with one  ?

http://tf.nist.gov/tf-cgi/servers.cgi
0
 
LVL 10

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 500 total points
ID: 40348443
Free NTP servers available world wide. Some will ping some wont ping subsequently they also would use different ntp port rather than known 123 port.

There are list of servers on the NTP.org which you need to specify on the ASA5505 firewall for time sync.
You need to ping and verify the server if it pings from your network
telnet on default or specified port on the website
if it suceeeds then point that server as ntp sync.

Security:
To secure check the port and allow access between your router and your firewall and deny other ports.


Join us means : If you want to host your own public time server then the article specifies you need to join by adding their time server as source NTP server.

http://blogtech.oc9.com/index.php?view=article&id=14%3Antp-server-list-by-countryprovider&option=com_content
0
 

Author Comment

by:mikey250
ID: 40348510
I have a successful 'ntp status' sync

I have attached a screenshot

in my asa I added the following only:

config t
access-list outbound extended permit udp any any eq ntp
ntp server 176.126.243.191 source interface outside

in order to get the above address I did: ping pool.ntp.org to get above ip address so I gather that is incorrect  ?

qns1.  when I did: sh ntp status - it shows stratum 3, but surely my asa should be 'stratum 1' and my master dc will be stratum 2 for eg  ?

note:

I viewed this link http://www.pool.ntp.org/en/use.html

I pinged the below:

ping 0.pool.ntp.org - gave me ip: 5.39.75.216
ping 1.pool.ntp.org - gave me ip: 88.149.128.123
ping 2.pool.ntp.org - gave me ip: 83.170.75.28
ping 3.pool.ntp.org - gave me ip: 146.185.130.223

qns2.  I assume these are the above ip addresses I should add in my asa firewall & not: 176.126.243.191  ?
ntp-status-screenshot.docx
0
 

Author Comment

by:mikey250
ID: 40348518
I have currently removed the below, which took only about 1-2 mins to sync:

ntp server 176.126.243.191 source outside

I have now added:

ntp server 5.39.75.216 source outside

debug ntp events
debug ntp sync

I am still waiting for a sync
0
 

Author Comment

by:mikey250
ID: 40348537
I have now added the other 3 ntp servers below as nothing sync on the single ntp as stated on last thread:

ntp server 88.149.128.123 source outside
ntp server 83.170.75.28 source outside
ntp server 146.39.75.216 source outside

so now I have all of the following:

ntp server 5.39.75.216 source outside
ntp server 88.149.128.123 source outside
ntp server 83.170.75.28 source outside
ntp server 146.39.75.216 source outside

note: I have now added my ntp status sync successful from: 88.240.128.123
ntpsync.docx
0
 
LVL 10

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 500 total points
ID: 40348540
For security reason Allow only those NTP public IP's which are synching with your ASA 5505, ensure those are pinging and reachable on well defined ports (123), sometimes port will change you can find the information on the webpage.
0
 

Author Comment

by:mikey250
ID: 40348549
hi ganesh,

I can ping all successfully:

ntp server 5.39.75.216 source outside
 ntp server 88.149.128.123 source outside
 ntp server 83.170.75.28 source outside
 ntp server 146.39.75.216 source outside

I then added below but no sync even after 5 mins.

ntp server 5.39.75.216 source outside

I then added below and sync seconds later:

ntp server 88.149.128.123 source outside
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:mikey250
ID: 40348558
step 1

after adding the previous ntp ip address, the clock is now as utc time ie:

12.46 28 sep 2014

step 2

I then added the below in my asa config:

clock timezone cst/gmt -0
cock summer-time bst recurring

show clock shows my local time: 13:48 28 sep 2014
0
 

Author Comment

by:mikey250
ID: 40348559
I am not even sure if my last few threads are correct!!!
0
 
LVL 10

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 500 total points
ID: 40348589
Also whatever you've mentioned on the above thread are sufficient enough. You must ensure if the time is properly synching with your ASA and matches your time zone, you also can verify if it matches your system which was in sync with public accurate time..

See the public NTP server time is standard, it syncs to the client (your ASA) as determined public time for your time zone. It may be UTC or your actual time zone. You will have some option to specify if it is dst or est time zone which differs automatically when the time change required.
0
 

Author Comment

by:mikey250
ID: 40348598
hi ganesh, so is my settings correct or do I need anything else for the asa time sync to public ntp  ?
0
 
LVL 10

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 500 total points
ID: 40348630
Here are the steps to perform the time sync, also the ASA can only act as an NTP client, not as a server. Just point the hosts to an external NTP server and let them sync. If you have an access-list on your inside interface (restricting outbound traffic from your LAN) then just add a permit statement for ntp (udp/123).

Configure Clock Settings:

To configure the clock settings of the ASA appliance, use the clock set command as shown below:

ciscoasa# clock set hh:mm:ss [day month | month day] year

Example:

ciscoasa# clock set 18:30:00 Apr 10 2009

To verify the correct clock on the appliance, use the show clock command.

Configure Time Zone and Daylight Saving Time:

To configure the time zone and the summer daylight saving time use the commands below:

ciscoasa# config t
ciscoasa(config)# clock timezone [zone name] [offset hours from UTC]
ciscoasa(config)# clock summer-time [zone name] recurring [week weekday month hh:mm week weekday month hh:mm] [offset]

Example:

ciscoasa(config)# clock timezone MST -7
ciscoasa(config)# clock summer-time MST recurring 1 Sunday April 2:00 last Sunday October 2:00

Configure Network Time Protocol (NTP):

If there is an NTP server in the network that provides accurate clock settings, then you can configure the firewall to synchronize its time with the NTP server. Both an authenticated and non-authenticated NTP is supported:

Non-Authenticated NTP:

ciscoasa(config)# ntp server [ip address of NTP] source [interface name]

Example:

ciscoasa(config)# ntp server 10.1.23.45 source inside

Authenticated NTP:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key [key ID] md5 [ntp key]
ciscoasa(config)# ntp trusted-key [key ID]
ciscoasa(config)# ntp server [ip address of NTP] key [key ID] source [intf name]

Example:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key 32 md5 secretkey1234
ciscoasa(config)# ntp trusted-key 32
ciscoasa(config)# ntp server 10.1.2.3 key 32 source inside
0
 

Author Comment

by:mikey250
ID: 40348644
current tasks completed:

step 1

 after adding the previous ntp ip address, the clock is now as utc time ie:

 12.46 28 sep 2014

 step 2

 I then added the below in my asa config:

 clock timezone cst/gmt -0
 cock summer-time bst recurring

 show clock shows my local time: 13:48 28 sep 2014

config t

ntp server 5.39.75.216 source outside
ntp server 88.149.128.123 source outside
ntp server 83.170.75.28 source outside
ntp server 146.39.75.216 source outside

note: i have not yet added authentication config below yet: (this will be added after i receive sync between asa & master dc internal:

authenticated ntp:

 ciscoasa(config)# ntp authenticate
 ciscoasa(config)# ntp authentication-key [key id] md5 [ntp key]
 ciscoasa(config)# ntp trusted-key [key id]
 ciscoasa(config)# ntp server [ip address of ntp] key [key id] source [intf name]

 example:

 ciscoasa(config)# ntp authenticate
 ciscoasa(config)# ntp authentication-key 32 md5 secretkey1234
 ciscoasa(config)# ntp trusted-key 32
 ciscoasa(config)# ntp server 10.1.2.3 key 32 source inside
0
 
LVL 10

Expert Comment

by:Ganesh Kumar A
ID: 40348662
Yes perfect, it should be syncing well. Please update.
0
 

Author Comment

by:mikey250
ID: 40358924
hi ganesh, apologies for not replying back.
0
 

Author Closing Comment

by:mikey250
ID: 40358926
sound advice.  appreciated.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now