Hi,
I want to synchronize my router with external NTP server. Security is
based on reflexive access lists, part of config follows:
int Loop0
ip address a.a.a.a 255.255.255.255
!
int BRI0
descr To Internet
ip unnum Loop0
ip access-group IN in
ip access-group OUT out
!
ip access-list extended OUT
permit ip any any reflect OUT-reflect
ip access-list extended IN
evaluate OUT-reflect
deny ip any any log
!
ntp server z.z.z.z
ntp source Loop0
but if router originates request to ntp server, access list OUT-reflect
doesn't contain corresponding record to allow answers so they are denied
and log notes:
list IN denied udp z.z.z.z(123) -> a.a.a.a(123), 3 packets
at this moment other UDP sessions work fine and they are reflected in
OUT-reflect. When I manually allow 123/udp packets from z.z.z.z in 'IN'
list, things are ok. Do reflexive ACLs support NTP?
IOS is c1700-sy56i-mz.121-12b.bin, but it's behaviour the same as
12.0(5)T1's
-- :r !ripewhois DOKA1-RIPE ------------------------------------------------------------------------- Never try to teach a pig to sing. It wastes your time and annoys the pig. -- Lazarus Long, "Time Enough for Love"
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:34 EDT