NTP & reflexive access list

From: Vladimir Litovka (doka@kiev.sovam.com)
Date: Tue Feb 26 2002 - 11:06:06 EST


Hi,

 I want to synchronize my router with external NTP server. Security is
 based on reflexive access lists, part of config follows:

int Loop0
 ip address a.a.a.a 255.255.255.255
!
int BRI0
 descr To Internet
 ip unnum Loop0
 ip access-group IN in
 ip access-group OUT out
!
ip access-list extended OUT
 permit ip any any reflect OUT-reflect
ip access-list extended IN
 evaluate OUT-reflect
 deny ip any any log
!
ntp server z.z.z.z
ntp source Loop0

 but if router originates request to ntp server, access list OUT-reflect
 doesn't contain corresponding record to allow answers so they are denied
 and log notes:

 list IN denied udp z.z.z.z(123) -> a.a.a.a(123), 3 packets

 at this moment other UDP sessions work fine and they are reflected in
 OUT-reflect. When I manually allow 123/udp packets from z.z.z.z in 'IN'
 list, things are ok. Do reflexive ACLs support NTP?

 IOS is c1700-sy56i-mz.121-12b.bin, but it's behaviour the same as
 12.0(5)T1's

-- 
:r !ripewhois DOKA1-RIPE
-------------------------------------------------------------------------
Never try to teach a pig to sing. It wastes your time and annoys the pig.
                -- Lazarus Long, "Time Enough for Love"



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:06 EDT