Re: NTP through a PIX 501

From: Chuck Church (ccie8776@rochester.rr.com)
Date: Mon Dec 16 2002 - 16:10:47 GMT-3

• Next message: Sean Garrett: "RE: unicast-2-multicast"
• Previous message: Don: "Re: NTP through a PIX 501"
• Maybe in reply to: Don: "NTP through a PIX 501"
• Next in thread: Brian T. Albert: "RE: NTP through a PIX 501"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Any idea why that happened? My guess is the PIX is confusing the
translation, and thinking those incoming NTP replies are destined for
itself, even though it's got a PAT entry for the device behind it using port
366. What version is the PIX running?

Chuck Church
CCIE #8776, MCNE, MCSE

----- Original Message -----
From: "Don" <seadon@attbi.com>
To: <brian.albert@worldnet.att.net>; <ccielab@groupstudy.com>
Sent: Monday, December 16, 2002 1:03 PM
Subject: Re: NTP through a PIX 501

> Ahh, success at last! The solution was to point the internal clients at a
> different server than the one PIX 501 was using. Among the clients I was
> using were Cisco 2500, 2600, and 3600 routers, so I was sure the client
was
> not the problem. Thanks very much for the help. Knowing that it did work
> for others with my configuration helped quite a bit.
> Don
>
> ----- Original Message -----
> From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
> Sent: Monday, December 16, 2002 9:20 AM
> Subject: RE: NTP through a PIX 501
>
>
> > Don,
> >
> > This is correct and what you should see. It is exactly what my debugs
> show,
> > and my internal router is getting the correct time from a router outside
> the
> > pix.
> >
> > What type of clients are on your home network? Is it a Win2K server
trying
> > to get the time, or Win2K professional? I believe your problem is with
the
> > client, not the pix.
> >
> > Brian
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Don
> > Sent: Sunday, December 15, 2002 11:17 PM
> > To: ccielab@groupstudy.com
> > Subject: Re: NTP through a PIX 501
> >
> >
> > Here is the log of the UDP translation it sets up. This is my home
> network
> > and it does not have any dedicated routers to act as NTP masters at this
> > time as they are all being used for my pratice lab. All the clients are
> > either windows computers or Cisco 2600 or 3600 routers Neither can get
> the
> > time as neither get a return packet back through the PIX. It just drops
> the
> > return packet with no other log entries than what you see here. The
> > Internet NTP server does return a packet.
> >
> >
> > 305011: Built dynamic UDP translation from inside:192.168.1.100/123 to
> > outside:xxx.xxx.xxx.xxx/366
> > 302015: Built outbound UDP connection 10601 for
outside:207.46.248.43/123
> > (207.46.248.43/123) to inside:192.168.1.100/123 (xxx.xxx.xxx.xxx/366)
> >
> > ----- Original Message -----
> > From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> > To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
> > Sent: Sunday, December 15, 2002 12:51 PM
> > Subject: RE: NTP through a PIX 501
> >
> >
> > > Don,
> > >
> > > What does you debug log show? Do you see the connection being built?
> > > Anything being denied?
> > >
> > > Brian
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > Don
> > > Sent: Saturday, December 14, 2002 3:43 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Re: NTP through a PIX 501
> > >
> > >
> > > Here is the config. A sniffer shows a response coming back to the
> outside
> > > port, but not making it throught to the inside port. I wonder if it
has
> > > anything to do with the 501 acting as a client and so sending NTP
> respones
> > > to itself?
> > >
> > > Thanks for the help, Don
> > >
> > > PIX Version 6.2(2)
> > > nameif ethernet0 outside security0
> > > nameif ethernet1 inside security100
> > > enable password ???????????? encrypted
> > > passwd ????????????? encrypted
> > > hostname pixfirewall
> > > domain-name ???????????
> > > clock timezone PST -8
> > > clock summer-time PDT recurring
> > > fixup protocol ftp 21
> > > fixup protocol http 80
> > > fixup protocol h323 h225 1720
> > > fixup protocol h323 ras 1718-1719
> > > fixup protocol ils 389
> > > fixup protocol rsh 514
> > > fixup protocol rtsp 554
> > > fixup protocol smtp 25
> > > fixup protocol sqlnet 1521
> > > fixup protocol sip 5060
> > > fixup protocol skinny 2000
> > > names
> > > access-list inside_access_in permit ip any any
> > > access-list outside_access_in permit icmp any any
> > > pager lines 24
> > > logging on
> > > interface ethernet0 10baset
> > > interface ethernet1 10full
> > > mtu outside 1500
> > > mtu inside 1500
> > > ip address outside dhcp setroute
> > > ip address inside 192.168.1.1 255.255.255.0
> > > ip audit info action alarm
> > > ip audit attack action alarm
> > > pdm logging debugging 100
> > > pdm history enable
> > > arp timeout 14400
> > > global (outside) 1 interface
> > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > access-group outside_access_in in interface outside
> > > access-group inside_access_in in interface inside
> > > timeout xlate 0:05:00
> > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> > > 0:05:00 sip 0:30:00 sip_media 0:02:00
> > > timeout uauth 0:05:00 absolute
> > > aaa-server TACACS+ protocol tacacs+
> > > aaa-server RADIUS protocol radius
> > > aaa-server LOCAL protocol local
> > > ntp server 207.46.248.43 source outside
> > > http server enable
> > > http 192.168.1.0 255.255.255.0 inside
> > > no snmp-server location
> > > no snmp-server contact
> > > snmp-server community public
> > > no snmp-server enable traps
> > > floodguard enable
> > > no sysopt route dnat
> > > telnet 192.168.1.0 255.255.255.0 inside
> > > telnet timeout 5
> > > ssh timeout 5
> > > dhcpd address 192.168.1.100-192.168.1.131 inside
> > > dhcpd lease 3600
> > > dhcpd ping_timeout 750
> > > dhcpd auto_config outside
> > > dhcpd enable inside
> > > terminal width 80
> > > Cryptochecksum:??????????: end
> > > pixfirewall#
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> > > To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
> > > Sent: Friday, December 13, 2002 5:59 PM
> > > Subject: RE: NTP through a PIX 501
> > >
> > >
> > > > Don,
> > > >
> > > > I have a setup in my lab with a router outside the pix configured as
a
> > NTP
> > > > master and a router inside the firewall configured as a NTP server.
My
> > 501
> > > > runs 6.22 and has no problem allowing the return connection from the
> > > master
> > > > back to the server. I have no entry in my acl on the outside
interface
> > to
> > > > accomplish this. Can you supply your configs?
> > > >
> > > > Brian T. Albert
> > > > CCIE #9682
> > > > brian.albert@worldnet.att.net
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
> > > > Don
> > > > Sent: Friday, December 13, 2002 6:13 PM
> > > > To: ccielab@groupstudy.com
> > > > Subject: NTP through a PIX 501
> > > >
> > > >
> > > > Anyone know how to allow NTP clients behind a PIX 501 running 6.22
to
> do
> > a
> > > > time request? In my network, the NTP clients try to contact the
time
> > > server
> > > > on the Internet, but the PIX does not allow the response from the
> server
> > > > back into the network.
> > > > Thanks, Don
> > > > .
> > > .
> > .
> .
.

• Next message: Sean Garrett: "RE: unicast-2-multicast"
• Previous message: Don: "Re: NTP through a PIX 501"
• Maybe in reply to: Don: "NTP through a PIX 501"
• Next in thread: Brian T. Albert: "RE: NTP through a PIX 501"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:46 GMT-3