[c-nsp] Configure NAT to use a certain port range for source ports
Randy
randy_94108 at yahoo.com
Sun Apr 15 15:40:53 EDT 2012
--- On Sun, 4/15/12, Gary Smith <lists at l33t-d00d.co.uk> wrote:
> From: Gary Smith <lists at l33t-d00d.co.uk>
> Subject: Re: [c-nsp] Configure NAT to use a certain port range for source ports
> To: "Jason Lixfeld" <jason at lixfeld.ca>, cisco-nsp at puck.nether.net
> Date: Sunday, April 15, 2012, 6:23 AM
> On 15/04/2012 13:59, Jason Lixfeld
> wrote:
> > Hi all,
> >
> > I have an inside NTP server behind an IOS NAT box that
> is trying to sync time from an outside NTP server. NAT
> changes the source port to some low port, but due to a bug
> in the NTP implementation on the outside NTP server, source
> ports< 123 are rejected. So - is there a way
> that I can configure NAT to use a high source port when the
> destination port is UDP/123?
> >
> > T
> Could you not use Static PAT here? It seems like it'd
> probably be a
> valid way to solve the problem rather than hoping that the
> NAT won't hit
> a port that the NTP server disagrees with.
>
> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html
If I understand correctly -
you are attempting to have NTP Server on inside sync with NTP Server on outside. That would make it a "symmetric" connection where the source and destination ports would be udp 123. Using NAPT/PAT would break NTP.
How about "static-NAT" only:
static (inside outside) <public ip> <real-ip of inside NTP server>
this would leave you source-port intact.
on the inside-int acl applied inbound, you probably want to only-allow udp 123 to public-ntp server ip.addr from real-ip.addr of ntp server on the inside.
hth,
./Randy
More information about the cisco-nsp
mailing list