From: Don (seadon@attbi.com)
Date: Wed Dec 18 2002 - 12:55:31 GMT-3
It was there. It was "ntp server 207.46.248.43 source outside"
Don
----- Original Message -----
From: "Brian T. Albert" <brian.albert@worldnet.att.net>
To: "Chuck Church" <ccie8776@rochester.rr.com>; "Don" <seadon@attbi.com>;
<ccielab@groupstudy.com>
Sent: Monday, December 16, 2002 2:24 PM
Subject: RE: NTP through a PIX 501
> What is the PIX pointing to? There are no NTP related commands in the PIX
> configuration.
>
> Brian
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Chuck Church
> Sent: Monday, December 16, 2002 1:11 PM
> To: Don; brian.albert@worldnet.att.net; ccielab@groupstudy.com
> Subject: Re: NTP through a PIX 501
>
>
> Any idea why that happened? My guess is the PIX is confusing the
> translation, and thinking those incoming NTP replies are destined for
> itself, even though it's got a PAT entry for the device behind it using
port
> 366. What version is the PIX running?
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
>
>
> ----- Original Message -----
> From: "Don" <seadon@attbi.com>
> To: <brian.albert@worldnet.att.net>; <ccielab@groupstudy.com>
> Sent: Monday, December 16, 2002 1:03 PM
> Subject: Re: NTP through a PIX 501
>
>
> > Ahh, success at last! The solution was to point the internal clients at
a
> > different server than the one PIX 501 was using. Among the clients I
was
> > using were Cisco 2500, 2600, and 3600 routers, so I was sure the client
> was
> > not the problem. Thanks very much for the help. Knowing that it did
work
> > for others with my configuration helped quite a bit.
> > Don
> >
> > ----- Original Message -----
> > From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> > To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
> > Sent: Monday, December 16, 2002 9:20 AM
> > Subject: RE: NTP through a PIX 501
> >
> >
> > > Don,
> > >
> > > This is correct and what you should see. It is exactly what my debugs
> > show,
> > > and my internal router is getting the correct time from a router
outside
> > the
> > > pix.
> > >
> > > What type of clients are on your home network? Is it a Win2K server
> trying
> > > to get the time, or Win2K professional? I believe your problem is with
> the
> > > client, not the pix.
> > >
> > > Brian
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > Don
> > > Sent: Sunday, December 15, 2002 11:17 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Re: NTP through a PIX 501
> > >
> > >
> > > Here is the log of the UDP translation it sets up. This is my home
> > network
> > > and it does not have any dedicated routers to act as NTP masters at
this
> > > time as they are all being used for my pratice lab. All the clients
are
> > > either windows computers or Cisco 2600 or 3600 routers Neither can
get
> > the
> > > time as neither get a return packet back through the PIX. It just
drops
> > the
> > > return packet with no other log entries than what you see here. The
> > > Internet NTP server does return a packet.
> > >
> > >
> > > 305011: Built dynamic UDP translation from inside:192.168.1.100/123 to
> > > outside:xxx.xxx.xxx.xxx/366
> > > 302015: Built outbound UDP connection 10601 for
> outside:207.46.248.43/123
> > > (207.46.248.43/123) to inside:192.168.1.100/123 (xxx.xxx.xxx.xxx/366)
> > >
> > > ----- Original Message -----
> > > From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> > > To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
> > > Sent: Sunday, December 15, 2002 12:51 PM
> > > Subject: RE: NTP through a PIX 501
> > >
> > >
> > > > Don,
> > > >
> > > > What does you debug log show? Do you see the connection being built?
> > > > Anything being denied?
> > > >
> > > > Brian
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
> > > > Don
> > > > Sent: Saturday, December 14, 2002 3:43 PM
> > > > To: ccielab@groupstudy.com
> > > > Subject: Re: NTP through a PIX 501
> > > >
> > > >
> > > > Here is the config. A sniffer shows a response coming back to the
> > outside
> > > > port, but not making it throught to the inside port. I wonder if it
> has
> > > > anything to do with the 501 acting as a client and so sending NTP
> > respones
> > > > to itself?
> > > >
> > > > Thanks for the help, Don
> > > >
> > > > PIX Version 6.2(2)
> > > > nameif ethernet0 outside security0
> > > > nameif ethernet1 inside security100
> > > > enable password ???????????? encrypted
> > > > passwd ????????????? encrypted
> > > > hostname pixfirewall
> > > > domain-name ???????????
> > > > clock timezone PST -8
> > > > clock summer-time PDT recurring
> > > > fixup protocol ftp 21
> > > > fixup protocol http 80
> > > > fixup protocol h323 h225 1720
> > > > fixup protocol h323 ras 1718-1719
> > > > fixup protocol ils 389
> > > > fixup protocol rsh 514
> > > > fixup protocol rtsp 554
> > > > fixup protocol smtp 25
> > > > fixup protocol sqlnet 1521
> > > > fixup protocol sip 5060
> > > > fixup protocol skinny 2000
> > > > names
> > > > access-list inside_access_in permit ip any any
> > > > access-list outside_access_in permit icmp any any
> > > > pager lines 24
> > > > logging on
> > > > interface ethernet0 10baset
> > > > interface ethernet1 10full
> > > > mtu outside 1500
> > > > mtu inside 1500
> > > > ip address outside dhcp setroute
> > > > ip address inside 192.168.1.1 255.255.255.0
> > > > ip audit info action alarm
> > > > ip audit attack action alarm
> > > > pdm logging debugging 100
> > > > pdm history enable
> > > > arp timeout 14400
> > > > global (outside) 1 interface
> > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > access-group outside_access_in in interface outside
> > > > access-group inside_access_in in interface inside
> > > > timeout xlate 0:05:00
> > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h323
> > > > 0:05:00 sip 0:30:00 sip_media 0:02:00
> > > > timeout uauth 0:05:00 absolute
> > > > aaa-server TACACS+ protocol tacacs+
> > > > aaa-server RADIUS protocol radius
> > > > aaa-server LOCAL protocol local
> > > > ntp server 207.46.248.43 source outside
> > > > http server enable
> > > > http 192.168.1.0 255.255.255.0 inside
> > > > no snmp-server location
> > > > no snmp-server contact
> > > > snmp-server community public
> > > > no snmp-server enable traps
> > > > floodguard enable
> > > > no sysopt route dnat
> > > > telnet 192.168.1.0 255.255.255.0 inside
> > > > telnet timeout 5
> > > > ssh timeout 5
> > > > dhcpd address 192.168.1.100-192.168.1.131 inside
> > > > dhcpd lease 3600
> > > > dhcpd ping_timeout 750
> > > > dhcpd auto_config outside
> > > > dhcpd enable inside
> > > > terminal width 80
> > > > Cryptochecksum:??????????: end
> > > > pixfirewall#
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Brian T. Albert" <brian.albert@worldnet.att.net>
> > > > To: "Don" <seadon@attbi.com>; <ccielab@groupstudy.com>
> > > > Sent: Friday, December 13, 2002 5:59 PM
> > > > Subject: RE: NTP through a PIX 501
> > > >
> > > >
> > > > > Don,
> > > > >
> > > > > I have a setup in my lab with a router outside the pix configured
as
> a
> > > NTP
> > > > > master and a router inside the firewall configured as a NTP
server.
> My
> > > 501
> > > > > runs 6.22 and has no problem allowing the return connection from
the
> > > > master
> > > > > back to the server. I have no entry in my acl on the outside
> interface
> > > to
> > > > > accomplish this. Can you supply your configs?
> > > > >
> > > > > Brian T. Albert
> > > > > CCIE #9682
> > > > > brian.albert@worldnet.att.net
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
Behalf
> Of
> > > > > Don
> > > > > Sent: Friday, December 13, 2002 6:13 PM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: NTP through a PIX 501
> > > > >
> > > > >
> > > > > Anyone know how to allow NTP clients behind a PIX 501 running 6.22
> to
> > do
> > > a
> > > > > time request? In my network, the NTP clients try to contact the
> time
> > > > server
> > > > > on the Internet, but the PIX does not allow the response from the
> > server
> > > > > back into the network.
> > > > > Thanks, Don
> > > > > .
> > > > .
> > > .
> > .
> .
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:48 GMT-3