From: Don (seadon@attbi.com)
Date: Mon Dec 16 2002 - 02:16:31 GMT-3
Here is the log of the UDP translation it sets up. This is my home network
and it does not have any dedicated routers to act as NTP masters at this
time as they are all being used for my pratice lab. All the clients are
either windows computers or Cisco 2600 or 3600 routers Neither can get the
time as neither get a return packet back through the PIX. It just drops the
return packet with no other log entries than what you see here. The
Internet NTP server does return a packet.
305011: Built dynamic UDP translation from inside:192.168.1.100/123 to
outside:xxx.xxx.xxx.xxx/366
302015: Built outbound UDP connection 10601 for outside:207.46.248.43/123
(207.46.248.43/123) to inside:192.168.1.100/123 (xxx.xxx.xxx.xxx/366)
----- Original Message -----
From: "Brian T. Albert" <brian.albert@worldnet.att.net>
To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
Sent: Sunday, December 15, 2002 12:51 PM
Subject: RE: NTP through a PIX 501
> Don,
>
> What does you debug log show? Do you see the connection being built?
> Anything being denied?
>
> Brian
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Don
> Sent: Saturday, December 14, 2002 3:43 PM
> To: ccielab@groupstudy.com
> Subject: Re: NTP through a PIX 501
>
>
> Here is the config. A sniffer shows a response coming back to the outside
> port, but not making it throught to the inside port. I wonder if it has
> anything to do with the 501 acting as a client and so sending NTP respones
> to itself?
>
> Thanks for the help, Don
>
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password ???????????? encrypted
> passwd ????????????? encrypted
> hostname pixfirewall
> domain-name ???????????
> clock timezone PST -8
> clock summer-time PDT recurring
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list inside_access_in permit ip any any
> access-list outside_access_in permit icmp any any
> pager lines 24
> logging on
> interface ethernet0 10baset
> interface ethernet1 10full
> mtu outside 1500
> mtu inside 1500
> ip address outside dhcp setroute
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm logging debugging 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-group outside_access_in in interface outside
> access-group inside_access_in in interface inside
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> ntp server 207.46.248.43 source outside
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> telnet 192.168.1.0 255.255.255.0 inside
> telnet timeout 5
> ssh timeout 5
> dhcpd address 192.168.1.100-192.168.1.131 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> terminal width 80
> Cryptochecksum:??????????: end
> pixfirewall#
>
>
>
> ----- Original Message -----
> From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
> Sent: Friday, December 13, 2002 5:59 PM
> Subject: RE: NTP through a PIX 501
>
>
> > Don,
> >
> > I have a setup in my lab with a router outside the pix configured as a
NTP
> > master and a router inside the firewall configured as a NTP server. My
501
> > runs 6.22 and has no problem allowing the return connection from the
> master
> > back to the server. I have no entry in my acl on the outside interface
to
> > accomplish this. Can you supply your configs?
> >
> > Brian T. Albert
> > CCIE #9682
> > brian.albert@worldnet.att.net
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Don
> > Sent: Friday, December 13, 2002 6:13 PM
> > To: ccielab@groupstudy.com
> > Subject: NTP through a PIX 501
> >
> >
> > Anyone know how to allow NTP clients behind a PIX 501 running 6.22 to do
a
> > time request? In my network, the NTP clients try to contact the time
> server
> > on the Internet, but the PIX does not allow the response from the server
> > back into the network.
> > Thanks, Don
> > .
> .
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:46 GMT-3