SNTP needs (UDP) port 123 open on PIX501, how can this be done? 1

[gman10]

Good Evening all-

Am wondering how to open up UDP port 123 to allow my Windows 2000 server which is sitting behind the PIX to acquire SNTP synchronized time from the Internet (or more accurately, the US NAVAL Observatory..).. Is this best done thru access-list, static ip route?? Can anyone help me here?

HAve a great evening..

gman

 

[Joniels]

Check the NTP command:

ntp
Synchronizes the PIX Firewall with a network time server using the Network Time Protocol (NTP).

[no] ntp authenticate
[no] ntp authentication-key number md5 value
ntp server ip_address [key number] source if_name [prefer]
no ntp server ip_address
[no] ntp trusted-key number
clear ntp
show ntp
show ntp associations [detail]
show ntp status

 

[ChrisAC]

I think that he want his Windows box to access an NTP server, not the firewall.

gman10, do you have any rules on the firewall that limit outbound connectivity? If not then you should be able to access an NTP server without a problem as long as the Windows box is subject to a NAT rule on the firewall, ie. it has internet access. By default the pix allows all outbound traffic but blocks inbound traffic.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[gman10]

Correct IPROUTE,

I am looking to have my Windows 2000 server get past the PIX to the internet hence opbtaining NTP time from the US NAVAL OBSERVATORY site.. My OUTSIDE interface on the PIX is open..

gman

 

[ChrisAC]

Not sure what you mean by "My OUTSIDE interface on the PIX is open.." as all traffic is blocked by default from the outside to the inside. However, traffic from the inside to the outside is allowed by default and so providing that you haven't put any ACL's in place it should work already. Have you tried it?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[gman10]

Chris,

Yes sorry, I meant outbound traffic.. not OUTSIDE.. Will try it tomorrow when I'm on site at the customer.. It's in a desolate "basement" location and the customer really won't be there so I can play all I want..

thanks again!

gman

 

[fs483]

I think if you run "w32tm -once -y -test" in the command prompt, you'll discover if pix is allowing communication to the chosen ntp server.

 

[snootalope]

I got a similar issue here.. I've setup my routers and switches to keep time by using an external Naval time source: 192.5.41.41

Anyway, here's my setup: I got 4 LAN segments that are on a 10.10.x.x scheme. Their all connected via frame relay, and the frame interfaces are setup in a 192.168.1.x, 192.168.2.x, 192.168.3.x manner.

This is the id being logged on my PIX:

<163>Jul 29 2004 23:58:35 10.10.1.96 : %PIX-3-305005: No translation group found for udp src inside:192.168.2.2/123 dst outside:192.5.41.41/123

I setup a Dynamic translation group for 192.168.0.0 255.255.255.255, but that still isn't getting rid of the error. Is it my subnet mask that i'm using??? I can't figure it out cause that dynamic group is setup just like my group my LAN's NAT.

Advice?

Snoots

 

[ChrisAC]

Try "nat (outside) <group> 0.0.0.0 0.0.0.0"

This will ensure that all inside addresses are matched and NATed and should clear the error.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[snootalope]

Excellent, thanks. Now that I'm natting 0.0.0.0, I can probably remove my other dynamic groups that translate to the same address right? Cause hell, I'm not blocking anything outgoing anyway!

 

[ChrisAC]

Correct!

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************