PIX firewall - Opening NTP Port for Public time server

[hala]

Hi..
Anybody let me know

I would like to open NTP port in PIX firewall to allow time server access to get time synchronisation on ISA server. the way goes as follows.

Public Time server -> PIX firewall->ISA server->DC->
->workstations.

How to create access list to open NTP port in cisco pix firewall?

 

[havanajoe]

By default any internal traffic can go outbound. So unless you are restricting what traffic goes out by using access-lists then you don't need anything special for NTP. But to answer your direct question, below is the access-list to allow any internal client to hit any external NTP server.

access-list out permit udp any any eq ntp

 

[hala]

Yes I have a access list deny control for internal traffic,

How i can synchornize my ISA server to Public Time server (129.6.15.28) thru PIX ?

Can help me to configure this in PIX firewal.

 

[havanajoe]

post your access-lists and access-groups here and i can give you the exact lines to enter.

 

[hala]

hi joe...

Sorry , due to security policy I'm not in a position to post it...never mind.
I hope you will help me add the line in Pix by normal.

What actually i want to do is ?
[All of my servers and workstations (LAN) should synchronise with public time server 129.6.15.28]

I shown you the route from PIX to Workstations in first post.

If you have time.Let me know Pls What is the best solution to do this...
Thanks,

 

[havanajoe]

Ok let's give this a try.

In the diagram you have the time server coming into the pix (unless the arrows weren't meant to mean anything i.e. push time) then this is wrong. Your clients pull time from the time sync server.

time server <-- pix <-- isa server <-- dc <-- workstations

so the connection from the isa server are built as outbound connection. So what you would need is an ACL that is applied to the internal interface of the PIX. Something like this...

access-list outbound permit udp host <isa server> host 129.6.15.28 eq ntp

access-group outbound in interface inside

This will permit only the isa server to go to the time server. At this point in time the ISA server will be synched, so all other internal clients can be synched against the ISA server.

 

[hala]

thanks...I did the same as you said.

In ISA server I set the sntp server as 129.6.15.28
Using net time /setsntp : 129.6.15.28
confirmed net time /query
It configured properly,

So now both firewall and ISA server are configured.
I would like to make sure whether is working fine.

Can you tell me how i can make sure to check the connectivity between ISA Server and Public time server.
Without using ping.

i appreciate you help,

 

[havanajoe]

The way that I confirm that the NTP is actually happening is to use the syslog logging of the PIX. Then on my workstation I run kiwi syslog to trap the syslog messages. Depending on the version of PIX os you are running you can set up logging on individual ACLs, so when a packet fires off an ACL it will log to the syslog server. Just add log and the level you want it to log at to the end of the ACL.

That is one way to do it. There is probably a way to set the event logging up on the ISA server as well. This is the way that I do it for my PIX.

I hope this helps.

 

[BuckWeet]

You need to permit NTP inbound as well as outbound, since its UDP and stateless you have to permit it to come back in..


BuckWeet

 

[havanajoe]

From my experiences I have never had to allow NTP back into the network through the PIX.