Hi,
After a quick research, I think the problem might be the ntp config. ntp is
working in symmetric mode in your case. So the external NTP server might
send you the update without any request initiated by your router. This will
be blocked by the ACL.
You could try "set ntp client enable" command.
My 2 cents.
-ns
-----Original Message-----
From: Vladimir Litovka [mailto:doka@kiev.sovam.com]
Sent: 26 February 2002 11:06 AM
To: cisco-nsp@puck.nether.net
Subject: NTP & reflexive access list
Hi,
I want to synchronize my router with external NTP server. Security is
based on reflexive access lists, part of config follows:
int Loop0
ip address a.a.a.a 255.255.255.255
!
int BRI0
descr To Internet
ip unnum Loop0
ip access-group IN in
ip access-group OUT out
!
ip access-list extended OUT
permit ip any any reflect OUT-reflect
ip access-list extended IN
evaluate OUT-reflect
deny ip any any log
!
ntp server z.z.z.z
ntp source Loop0
but if router originates request to ntp server, access list OUT-reflect
doesn't contain corresponding record to allow answers so they are denied
and log notes:
list IN denied udp z.z.z.z(123) -> a.a.a.a(123), 3 packets
at this moment other UDP sessions work fine and they are reflected in
OUT-reflect. When I manually allow 123/udp packets from z.z.z.z in 'IN'
list, things are ok. Do reflexive ACLs support NTP?
IOS is c1700-sy56i-mz.121-12b.bin, but it's behaviour the same as
12.0(5)T1's
-- :r !ripewhois DOKA1-RIPE ------------------------------------------------------------------------- Never try to teach a pig to sing. It wastes your time and annoys the pig. -- Lazarus Long, "Time Enough for Love"
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:06 EDT