On Wed, 27 Feb 2002, Shi, Ning wrote:
> After a quick research, I think the problem might be the ntp config. ntp is
> working in symmetric mode in your case. So the external NTP server might
> send you the update without any request initiated by your router. This will
> be blocked by the ACL.
It seems, that locally generated packets don't pass through ACL. I've
tested this with DNS queries - there is same result - corresponding rules
didn't put in the reflexive list. So, it is need to allow router's
activity in usual lists and I've change 'IN' to:
ip access-list extended IN
permit udp host <ntp-server> eq ntp host <localhost> eq ntp
permit udp host <domain-server> eq domain host <localhost>
evaluate OUT-reflect
[ ... ]
deny ip any any log
and this works fine.
-- :r !ripewhois DOKA1-RIPE ------------------------------------------------------------------------- Never try to teach a pig to sing. It wastes your time and annoys the pig. -- Lazarus Long, "Time Enough for Love"
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:34 EDT