NTP server unreachable through ASA firewall

Similar Messages

• WMI query through ASA Firewall

  I'm a newbie - please be patient
  We have an ASA firewall that has several DMZ VLANs.
  A support company that responsible for the SQL Servers wants to use WMI to query server health.
  Their monitoring server currently on the internal lan, eight SQL servers on the internal lan and six of the SQL Servers are in the DMZ.
  Two of the SQL Servers in the DMZ are 2003x32 Standard Edition and four are 2008R2x64 Enterprise Edition
  The question is the ports that need to be open for Windows 2003 is concerningly large tcp/1025-65535, tcp/135
  What are everyone’s thoughts on opening up such a large range?
  Is there a better way of doing this – unfortunately getting the monitoring software rewritten is not an option and nor is going Linux
  Thanks
  PS - if this has already been asked can someone point me to the discussions

  Hi
  I would say that that is a No No
  But that depends on the environment, for some (most) i woulds say its not ok, but some might feel that they do not need that much security.
  WMI is a bit tough on firewalls.
  But there are ways to limit the ports used by WMI
  fx you can set it to use Fixed ports. and so on.
  Sure it makes the server guys a little less happy since it does not work from the start and they have to make some changes but the added security is well worth the fight.
  Here is a link to solarwinds for people with the same problem.and an answer that seems to work
  (i have not tested this) from ASH J Kent. (almost at the bottom)
  http://thwack.solarwinds.com/forums/68/application--server-management/21/server--application-monitor/16415/wmi-monitoring-through-firewal/
  Here is one from MSDN
  http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx
  Good luck
  HTH

• Securely Access Exchange Server 2007 through ASA 5510 using Outlook

  Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)?  OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?  Any help is much appreciated!
  ~John

  Hi John,
  For that scenario, a remote access VPN is probably the best way to go (either the traditional IPSec client or SSL VPN/AnyConnect). This config guide lists your options on the ASA:
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html
  -Mike

• How can we allow internal users to access internet through ASA firewall?

  Hello,
  I am new to security track, i have been asked to setup lab and allow users from inside firewall to access internet. here is my lab setup
  PC -> switch 1 (layer2) -> (inside) ASA (outside) -> switch 2 (Layer2) -> Router
  does switch 2 port needs internet access through router?
  what configuration required on ASA to allow users behind the firewall to access internet?
  any help on this would be much appreciated.
  thanks,

  Hi,
  Okay , can you clarify on this for me. Are you able to ping the internet from the ASA outside interface ?
  Just try something like this:-
  ping 4.2.2.2 .. Does this work ?
  If this does not work , then i think the ASA even is not able to get to the internet and that would be a problem on the router.
  Also , internet from Switch 2 is not a requirement as that is only a Layer 2 device.
  You can assign the ISP allocated address on the PC , connect it to the Switch 2 port and then try to ping something on the internet or surf internet and i think that should work.
  Thanks and Regards,
  Vibhor Amrodia

• Is Calendar Server accessible through a firewall?

  What ports on a firewall need to be opened in order to access the Calendar
  Server over the internet?
  <P>
  Ports 5730, 5731, 5732
  However, this configuration is not recomended unless you are in a secure
  environment since there is not a secure Calendar protocol.

  The point of using a web-based e-mail client is that ports 80 and sometimes 443 are the only ports you can be sure are open in most cases. It's the protocol that's blocked by the firewall, not the application. If pop and imap are blocked, then no pop or imap client will work.

• Cisco Call manager 7.2 through ASA firewall

  Hi,
  We have a part of our building that we have sold to another company. We still have to provide them with some resources until they can install their own network. We have a 6500 switch there and we are going to implement a ASA in between and lock down most communication. One of the resources required are  Cisco IP phones. 
  Does anyone know which ports etc are required to be opened to allow communication between these phones and  Call manager and other IP phones on the site?
  Any help would be appreciated             

  Hi Andrew
  The attached document may assist:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
  A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
  Hope this helps.
  Barry Hesk
  Intrinsic Network Solutions

• How to sync clock of Cisco ASA 5505 from NTP Server on internet

  Hi there!
  i've setup a site, with cisco ASA 5505. It has public ip also.
  i want to sync the clock of firewall from on ntp server on internet, or with internal domain controller that is inside LAN.
  The firewall has public IP also.
  how can i do this?
  Regards!

  Hello Lasandro,
  This should do it!
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_hostname_pw.html#wp1236530
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• L4 ASA5520 Firewall act as NTP Server/Client

  Hi experts,
  I know that ASA can act as ntp server/client simultaneously, so my question is, do you preffer/recommend to use dorder router or FW such as ASA to act as NTP server for internal switch/router as well as the windows hosts??? I know that network equipments is ok, but not sure how about synch time from ASA to windows hosts.
  so, I've ASA 5520 and designed to be reside on L4 Firewall, and also create one DMZ, and put PDC on inside's ASA. then what is the best practice for time stratum?
   1) Use L4 FW, asa 5520 to get time from internet, and configure it to NTP server as well as. then my internal switches/routers and windows PDC(primary domain controller)could set their time source to border asa 5520.
   2) Set internal PDC to take time from internet, supposed to allow to pass only ntp between PDC/internet via ASA 5520, then L4 ASA 5520 and others sw/routers get time from insides PDC...
  can some one point me out?
  Thanks and regards,
  Taixing An

  My central point for sync NTP is my SVI in Management, and this one Sync from Internet in last case i have a less prefered end-point (PDC)

• NTP Server behind CSS / Responses from outside don't get through

  I have a CSS and behind it an NTP-Server (simulated for this posting by the ntpdate-command:
  First, when I use ntpdate -q 128.130.2.7 (with the -q parameter a source-port >1024 is used) all wents fine, I get a response and the flow trace-ip shows:
  JAN 20 10:12:15 1/1 1187 FLOWMGR-4: UDP in 192.168.7.73:35700->128.130.2.7:123
  JAN 20 10:12:15 1/1 1188 FLOWMGR-4: UDP out 128.131.2.73:4724->128.130.2.7:123
  JAN 20 10:12:15 1/1 1189 FLOWMGR-4: UDP in 128.130.2.7:123->128.131.2.73:4724
  JAN 20 10:12:15 1/1 1190 FLOWMGR-4: UDP out 128.130.2.7:123->192.168.7.73:35700
  But when I now use ntpdate 128.130.2.7 without the -q option, i.e. well known Source Port 123 is used, no response come through and the trace-ip shows:
  JAN 20 10:13:20 1/1 1194 FLOWMGR-4: UDP in 192.168.7.73:123->128.130.2.7:123
  JAN 20 10:13:20 1/1 1195 FLOWMGR-4: UDP out 128.131.2.73:123->128.130.2.7:123
  JAN 20 10:13:20 1/1 1196 FLOWMGR-4: UDP in 128.130.2.7:123->128.131.2.73:123
  JAN 20 10:13:21 1/1 1197 FLOWMGR-4: UDP in 128.130.2.7:123->128.131.2.73:123
  JAN 20 10:13:22 1/1 1198 FLOWMGR-4: UDP in 128.130.2.7:123->128.131.2.73:123
  JAN 20 10:13:23 1/1 1199 FLOWMGR-4: UDP in 128.130.2.7:123->128.131.2.73:123
  i.e. 128.130.2.7 sends the response to the vip-address and the css receives it, but does not send it to the requesting server.
  The relevant configuration parts are (currently ACL is disabled!):
  !************************** CIRCUIT **************************
  circuit VLAN602
  ip address 128.131.2.101 255.255.255.0
  ip virtual-router 102 priority 254 preempt
  ip redundant-vip 102 128.131.2.72 shared
  ip redundant-vip 102 128.131.2.73 shared
  ip redundant-vip 102 128.131.2.3 shared
  ip critical-service 102 gw-128.131.2
  !*************************** GROUP ***************************
  group ogawa2
  add service ogawa2i
  vip address 128.131.2.73
  active
  !************************** SERVICE **************************
  service ogawa2i
  ip address 192.168.7.73
  active
  It looks like, that the response does not comes through, if the source-port of the requesting server uses a port <1024.
  Any ideas ??

  There are some ports for which we do not maitain flow information but 123 should not be one of them.
  What software version are you using ?
  A workaround could be to create the following content rules :
  owner TEST
  content NTP
  vip address 128.131.2.73
  protocol udp
  port 123
  add service ogawa2i
  active
  Let me know if this works.
  Gilles.

• NTP through ASA

  I am trying to setup NTP from a router that is behind an ASA. I am trying to sync it with time.nist.gov (UDP port 123). However, the "sh asso det" list the NIST server as "insane and invalid". The ASA does do a source NAT and also changes the source port. When I use my backup internet connection that is a DSL modem then NTP work fine, different NAT address. On the ASA, for NTP, the packets are getting NAT'ed and UDP session is built. After 2 minutes the session is tore down.
  Here is the syslog message:
  Built outbound UDP connection 186440 for ouside:216.229.0.179/123 (216.229.0.179/123) to inside:172.16.64.4/123(xx.xx.xxx.xxx/409)
  I have forced the NAT so that the source port stays 123 after NAT but no change.
  Appreciate any input.

  NTP shouldn't care what your source port is, as long as the destination is udp/123.
  Since it looks like the udp flow is being setup, I'd suspect something upstream isn't getting your packets to the destination NTP server.

• Lenovo W530/W540 Getting Destination host Unreachable from our Firewall

  Hey Everyone!
  I'm having some bizarre issues with all of my Lenovo W530/W540's.  I'm not sure when the issue started, the first time it was reported to me was around March, and it has been persistant since the issue was discovered.  The issue is that, quite frequently, our Lenovo W530/W540's will get Destiantion Host Unreachable if I run a continuous ping (ping -t ...) to anything outside our firewall.
  I have run a ping to things inside our firewall (other computers/servers, etc.) and they will return good ping until the cows come home.
  However, if I try to ping anything outside our firewall (google.com, google DNS 8.8.8.8, yahoo.com, etc.) about every 30 seconds (every 30-35 returns) it starts returning Destitnation Host Unreachable from our Firewall.  This will last for around 10-25 returns, and then traffic goes back to normal.
  We are a majority Apple Shop, and when I attempt to ping from any Apple on the network, it get fine returns consistently.  I also tried pinging from the few non-Lenovo Windows Machines we have as well (my personal machine which is self-built Windows rig, a couple of windows test machines, and a Windows 2008 Server we have) and they also have consistently good returns as well.
  It is ONLY the Lenovo's that have this problem.  To compound things, they have no issue when they are connected to a different network other than the company network.  This ONLY happens when they try to interact with traffic going THROUGH our Firewall on our company network.  It happens regardless of whether they hardwired or wireless.  Also, during the Destination Host Unreachable moments, Windows does not detect a disruption, it keeps registering good connection.  I do not know how often Windows checks for connection, but these Destination Host Unreachable moments are so quick, I'm fairly certain that Windows can't even detect them.
  Our Firewall is a Linux CentOS server that is running Shorewall Firewall Software.  The Destination Host Unreachable notice is coming from our Firewall directly, not from our ISP, so for some reason, the Lenovo is having a problem talking to our FW.
  We currently only have 3 of these machines in circulation, but its having a pretty big impact on those with the machines, as going to a website is even a chore, as they often get "Page Not Found"  and other errors when they try to load a website.
  I'm a bit stumped, I've never seen a machine act this way where it only has problems on a particular network; usually its a global issue it has with everything.  Any and all help would be appreciated.
  Thanks!
  -Chris

  DNS is set to be automatic, though I did try setting  a permenent DNS server in the IPv4 settings to our local DNS server AND Google DNS, and the issue still occurred.
  The 2 Conflicting firewalls could be it, so I tested that.  I logged into the Local Administrator account on the machine so I could temporarily disable the firewall.  I disabled it, pinged out, and I still get Destination host unreachable, though weirdly, it seems to happen less than when on the other account (only about every 50-60 pings do I get Destination host Unreachable).

• NTP Server Setting

  Hi,
  I have ASA 5520 installed.
  I want to use ntp server for firewall clock setting.
  I found one open-access ntp server (stratum 2) in Los Angeles:
  dmz0.la-archdiocese.net
  209.151.225.100
  Can I use the following command to set ntp server?
  ntp server 209.151.225.100 source outside

  Hello John,
  Not sure, I do not have that information on the top of my head,
  Maybe you can run a quick debug on your ASA and provide us the answer
  regards

• Ntp server connection

  Hello,
  have a problem connecting to the ntp server please see below:
  dslrouter#show ntp associations
        address         ref clock     st  when  poll reach  delay  offset    disp
  ~130.88.203.12    0.0.0.0          16     -    64    0     0.0    0.00  16000.
  * master (synced), # master (unsynced), + selected, - candidate, ~ configured
  dslrouter#show ntp status
  Clock is unsynchronized, stratum 16, no reference clock
  nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**16
  reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
  clock offset is 0.0000 msec, root delay is 0.00 msec
  root dispersion is 0.00 msec, peer dispersion is 0.00 msec
  any reasons as this is the first time I am trying to synch to an NTP server.
  on the wan inbound I have permitted the destination udp 123 port through the access-list

  Do you have any ACL input in Gateway...disable one moment for test...it could be a problem from your ISP or ISP filter/Firewall input/output?? Could you try with another NTP server...

• IP Phone SSL VPN through ASA

  Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
  Feb 16 2011    15:12:57    725002    85.132.43.67    52684            Device completed SSL handshake with client vpn:85.132.*.*/52684
  Feb 16 2011    15:17:26    725007    85.132.43.67    52745            SSL session with client vpn:85.132.*.*/52745 terminated.
  What does it mean?  How can I turn on debugging to see what is going on?
  Thank you in advance!

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

  How To Using Two Different Public IP Address on My DMZ with ASA 5520
  Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
  Hi everyone out there.
  can any one please help me regarding this situation that im looking for a solution
  My old range of public ip address are finished, i mean (the 41.x.x.0 range)
  So now i still need to have in my DMZ another two servers that will bring some new services.
  Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
  So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
  ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
  So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
  on Cisco ASA 5520 v8??
  How my configuration should look like?
  I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
  Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
  attached is my network diagram for a better understanding
  I thank every body in advance
  Jorge

  Hi,
  So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
  Now you have gotten a new public IP address range from the ISP and want to get it into use.
  How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
  To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
  So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
  Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
  Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
  Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
  Of the above ways
  The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
  The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
  Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
  I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
  - Jouni