Cisco ASA – Configuring for NTP

KB ID 0000608 Dtd 25/05/12

Problem

With NTP, there will be two things you want to do, 1) Allow a device behind the ASA to take its time from a public NTP server, and 2) Set the ASA to take its system time from a public NTP sever (for accurate date stanps on the logs, and for time critical things like Kerberos authentication.)

Solution

Allow internal host(s) to get system time though the firewall.

1. Connect to the ASA, go to "enable mode", then to "Configure terminal mode"

User Access Verification Password: Type help or ‘?’ for a list of available commands. PetesASA> enable Password: ******** PetesASA# configure Terminal PetesASA(config)#

2. To rules are being applied to traffic going OUT through the firewall, run a "show run access-group" command.

PetesASA(config)# show run access-group Sample Output access-group outbound in interface inside access-group inbound in interface outside

Note: If it returns nothing then outbound traffic is NOT being filtered, and NTP should work anyway, but in the example above I can see the traffic that is going IN the inside interface (That’s traffic going out if you think about it!) Is being filtered by an access list called ‘outbound’ (Because I give the ACL’s sensible names, yours could be called anything!)

3. To allow ALL hosts use the word any, for a specific host use the keyword host.

Allow all hosts access to NTP PetesASA(config)# access-list outbound permit udp any any eq 123 Allow one host (192.168.1.1) to NTP PetesASA(config)# access-list outbound permit udp host 10.254.254.1 any eq 123

4.  Finally save the updated config.

PetesASA# write mem Building configuration… Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec) [OK] PetesASA#

Set the ASA to get its System Time from an External NTP Source

1. Connect to the ASA, go to "enable mode", then to "Configure terminal mode"

User Access Verification Password: Type help or ‘?’ for a list of available commands. PetesASA> enable Password: ******** PetesASA# configure Terminal PetesASA(config)#

2. The IP address I’m using is in the UK if you want one more local look here.

PetesASA(config)# ntp server 130.88.212.143 source outside

3. To check on its status, simply execute a "show ntp status" command. BUT it will take a few minutes to synchronise, until it does you will see;

PetesASA(config)# show ntp status Clock is unsynchronized, stratum 16, no reference clock nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 reference time is d36a01de.60ad92ea (13:04:30.377 UTC Fri May 25 2012) clock offset is 3414265.0854 msec, root delay is 26.09 msec root dispersion is 3430186.81 msec, peer dispersion is 16000.00 msec PetesASA(config)#

When it is finally synchronised it will say;

PetesASA(config)# show ntp status Clock is synchronized, stratum 3, reference is 130.88.212.143 nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 reference time is d36a0f74.a34d5dde (14:02:28.637 UTC Fri May 25 2012) clock offset is -9.1688 msec, root delay is 25.91 msec root dispersion is 15915.95 msec, peer dispersion is 15890.63 msec PetesASA(config)#

4.  Finally save the updated config.

PetesASA# write mem Building configuration… Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec) [OK] PetesASA#

Related Articles, References, Credits, or External Links

Set Cisco ASA for Kerberos Authentication

Author: Migrated

Share This Post On