From: Todd Veillette (tveillette@myeastern.com)
Date: Sun Dec 15 2002 - 03:13:19 GMT-3
Don,
Is your xlate still there for the client? Is it the same server the
pix is pointing to for it's time?
Not sure why you would get time twice? I always get it to a
backbone device, and dole it from there with authentication.
Better stil, grab it from a Router outside the PIX, authenticate,
and let your backbone device grab it from the outside through
your pix. Have the pix get the authenticated time from the inside.
-TV
----- Original Message -----
From: "Don" <seadon@attbi.com>
To: <ccielab@groupstudy.com>
Sent: Saturday, December 14, 2002 4:43 PM
Subject: Re: NTP through a PIX 501
> Here is the config. A sniffer shows a response coming back to the outside
> port, but not making it throught to the inside port. I wonder if it has
> anything to do with the 501 acting as a client and so sending NTP respones
> to itself?
>
> Thanks for the help, Don
>
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password ???????????? encrypted
> passwd ????????????? encrypted
> hostname pixfirewall
> domain-name ???????????
> clock timezone PST -8
> clock summer-time PDT recurring
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list inside_access_in permit ip any any
> access-list outside_access_in permit icmp any any
> pager lines 24
> logging on
> interface ethernet0 10baset
> interface ethernet1 10full
> mtu outside 1500
> mtu inside 1500
> ip address outside dhcp setroute
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm logging debugging 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-group outside_access_in in interface outside
> access-group inside_access_in in interface inside
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> ntp server 207.46.248.43 source outside
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> telnet 192.168.1.0 255.255.255.0 inside
> telnet timeout 5
> ssh timeout 5
> dhcpd address 192.168.1.100-192.168.1.131 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> terminal width 80
> Cryptochecksum:??????????: end
> pixfirewall#
>
>
>
> ----- Original Message -----
> From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
> Sent: Friday, December 13, 2002 5:59 PM
> Subject: RE: NTP through a PIX 501
>
>
> > Don,
> >
> > I have a setup in my lab with a router outside the pix configured as a
NTP
> > master and a router inside the firewall configured as a NTP server. My
501
> > runs 6.22 and has no problem allowing the return connection from the
> master
> > back to the server. I have no entry in my acl on the outside interface
to
> > accomplish this. Can you supply your configs?
> >
> > Brian T. Albert
> > CCIE #9682
> > brian.albert@worldnet.att.net
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Don
> > Sent: Friday, December 13, 2002 6:13 PM
> > To: ccielab@groupstudy.com
> > Subject: NTP through a PIX 501
> >
> >
> > Anyone know how to allow NTP clients behind a PIX 501 running 6.22 to do
a
> > time request? In my network, the NTP clients try to contact the time
> server
> > on the Internet, but the PIX does not allow the response from the server
> > back into the network.
> > Thanks, Don
> > .
> .
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:46 GMT-3