From: Don (seadon@attbi.com)
Date: Mon Dec 16 2002 - 15:03:55 GMT-3
Ahh, success at last! The solution was to point the internal clients at a
different server than the one PIX 501 was using. Among the clients I was
using were Cisco 2500, 2600, and 3600 routers, so I was sure the client was
not the problem. Thanks very much for the help. Knowing that it did work
for others with my configuration helped quite a bit.
Don
----- Original Message -----
From: "Brian T. Albert" <brian.albert@worldnet.att.net>
To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
Sent: Monday, December 16, 2002 9:20 AM
Subject: RE: NTP through a PIX 501
> Don,
>
> This is correct and what you should see. It is exactly what my debugs
show,
> and my internal router is getting the correct time from a router outside
the
> pix.
>
> What type of clients are on your home network? Is it a Win2K server trying
> to get the time, or Win2K professional? I believe your problem is with the
> client, not the pix.
>
> Brian
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Don
> Sent: Sunday, December 15, 2002 11:17 PM
> To: ccielab@groupstudy.com
> Subject: Re: NTP through a PIX 501
>
>
> Here is the log of the UDP translation it sets up. This is my home
network
> and it does not have any dedicated routers to act as NTP masters at this
> time as they are all being used for my pratice lab. All the clients are
> either windows computers or Cisco 2600 or 3600 routers Neither can get
the
> time as neither get a return packet back through the PIX. It just drops
the
> return packet with no other log entries than what you see here. The
> Internet NTP server does return a packet.
>
>
> 305011: Built dynamic UDP translation from inside:192.168.1.100/123 to
> outside:xxx.xxx.xxx.xxx/366
> 302015: Built outbound UDP connection 10601 for outside:207.46.248.43/123
> (207.46.248.43/123) to inside:192.168.1.100/123 (xxx.xxx.xxx.xxx/366)
>
> ----- Original Message -----
> From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
> Sent: Sunday, December 15, 2002 12:51 PM
> Subject: RE: NTP through a PIX 501
>
>
> > Don,
> >
> > What does you debug log show? Do you see the connection being built?
> > Anything being denied?
> >
> > Brian
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Don
> > Sent: Saturday, December 14, 2002 3:43 PM
> > To: ccielab@groupstudy.com
> > Subject: Re: NTP through a PIX 501
> >
> >
> > Here is the config. A sniffer shows a response coming back to the
outside
> > port, but not making it throught to the inside port. I wonder if it has
> > anything to do with the 501 acting as a client and so sending NTP
respones
> > to itself?
> >
> > Thanks for the help, Don
> >
> > PIX Version 6.2(2)
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password ???????????? encrypted
> > passwd ????????????? encrypted
> > hostname pixfirewall
> > domain-name ???????????
> > clock timezone PST -8
> > clock summer-time PDT recurring
> > fixup protocol ftp 21
> > fixup protocol http 80
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol sip 5060
> > fixup protocol skinny 2000
> > names
> > access-list inside_access_in permit ip any any
> > access-list outside_access_in permit icmp any any
> > pager lines 24
> > logging on
> > interface ethernet0 10baset
> > interface ethernet1 10full
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside dhcp setroute
> > ip address inside 192.168.1.1 255.255.255.0
> > ip audit info action alarm
> > ip audit attack action alarm
> > pdm logging debugging 100
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > access-group outside_access_in in interface outside
> > access-group inside_access_in in interface inside
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> > 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > ntp server 207.46.248.43 source outside
> > http server enable
> > http 192.168.1.0 255.255.255.0 inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > no sysopt route dnat
> > telnet 192.168.1.0 255.255.255.0 inside
> > telnet timeout 5
> > ssh timeout 5
> > dhcpd address 192.168.1.100-192.168.1.131 inside
> > dhcpd lease 3600
> > dhcpd ping_timeout 750
> > dhcpd auto_config outside
> > dhcpd enable inside
> > terminal width 80
> > Cryptochecksum:??????????: end
> > pixfirewall#
> >
> >
> >
> > ----- Original Message -----
> > From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> > To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
> > Sent: Friday, December 13, 2002 5:59 PM
> > Subject: RE: NTP through a PIX 501
> >
> >
> > > Don,
> > >
> > > I have a setup in my lab with a router outside the pix configured as a
> NTP
> > > master and a router inside the firewall configured as a NTP server. My
> 501
> > > runs 6.22 and has no problem allowing the return connection from the
> > master
> > > back to the server. I have no entry in my acl on the outside interface
> to
> > > accomplish this. Can you supply your configs?
> > >
> > > Brian T. Albert
> > > CCIE #9682
> > > brian.albert@worldnet.att.net
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > Don
> > > Sent: Friday, December 13, 2002 6:13 PM
> > > To: ccielab@groupstudy.com
> > > Subject: NTP through a PIX 501
> > >
> > >
> > > Anyone know how to allow NTP clients behind a PIX 501 running 6.22 to
do
> a
> > > time request? In my network, the NTP clients try to contact the time
> > server
> > > on the Internet, but the PIX does not allow the response from the
server
> > > back into the network.
> > > Thanks, Don
> > > .
> > .
> .
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:46 GMT-3