RE: NTP & reflexive access list

From: Shi, Ning (ning.shi@bellnexxia.com)
Date: Wed Feb 27 2002 - 12:16:18 EST


Hi,
After a quick research, I think the problem might be the ntp config. ntp is
working in symmetric mode in your case. So the external NTP server might
send you the update without any request initiated by your router. This will
be blocked by the ACL.

You could try "set ntp client enable" command.

My 2 cents.

-ns

-----Original Message-----
From: Vladimir Litovka [mailto:doka@kiev.sovam.com]
Sent: 26 February 2002 11:06 AM
To: cisco-nsp@puck.nether.net
Subject: NTP & reflexive access list

Hi,

 I want to synchronize my router with external NTP server. Security is
 based on reflexive access lists, part of config follows:

int Loop0
 ip address a.a.a.a 255.255.255.255
!
int BRI0
 descr To Internet
 ip unnum Loop0
 ip access-group IN in
 ip access-group OUT out
!
ip access-list extended OUT
 permit ip any any reflect OUT-reflect
ip access-list extended IN
 evaluate OUT-reflect
 deny ip any any log
!
ntp server z.z.z.z
ntp source Loop0

 but if router originates request to ntp server, access list OUT-reflect
 doesn't contain corresponding record to allow answers so they are denied
 and log notes:

 list IN denied udp z.z.z.z(123) -> a.a.a.a(123), 3 packets

 at this moment other UDP sessions work fine and they are reflected in
 OUT-reflect. When I manually allow 123/udp packets from z.z.z.z in 'IN'
 list, things are ok. Do reflexive ACLs support NTP?

 IOS is c1700-sy56i-mz.121-12b.bin, but it's behaviour the same as
 12.0(5)T1's

-- 
:r !ripewhois DOKA1-RIPE
-------------------------------------------------------------------------
Never try to teach a pig to sing. It wastes your time and annoys the pig.
                -- Lazarus Long, "Time Enough for Love"



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:06 EDT