Verify NTP master config

Similar Messages

• Using a Cisco Switch as the NTP Master time source for a Windows PDC

  Hi all,
  We have a closed network (no connectivity to the internet) and we have a Core router setup as the NTP Master for the rest of the network.
  All network devices are getting the time synced as intended but we are having issues getting the Primary Domain Controller (PDC) registering to it as a valid NTP time source.
  The problem we have is that we are affected by IOS bug CSCed13703 which rejects the PDC as an NTP associated device. Short of changing the IOS on the Router which is the main router feeding 30 other sites I would like to point the PDC at a different switch (an NTP Client switch) as it’s NTP source, rather than it going to the actual NTP Master.
  I have changed the values in the PDC to point to a different switch (3750) that has it’s time synced with the NTP master, but the PDC doesn’t want to know. I assume it will only accept the time from an official NTP Master .
  Could any of you fine people advise if what I am trying to do is possible and if so how I would go about it. I was thinking of setting the 3750 with the NTP Master command also, but I don’t want to confuse the other cisco devices in the network
  Thanks in advance
  David

  Thanks Marvin,
  I can confirm the Stratum on the 3750 is set to 15.  This is due to the NTP Time source being an internal router and not an authoritative time source out on the internet.  When setting the clock and using the NTP Master command on my internal router it sets the Stratum level to 14.
  I have pointed the PDC at the Router (Stratum 14) and it does successfully sync time, but won't trust it as a valid source after the first sync.  Upon reading I believed this to be the IOS bug as the symptoms are identical. Your theory of the PDC requiring a Stratum 2 time source is logical (especially in this scenario) but I have seen them use Stratum 4 before and it worked just fine.
  I guess I could change the Router acting as a time source for the network to be NTP Master 1 which should force Stratum 1 giving the PDC and all other switches pointing to it a Stratumlevel of 2 which would prove it either way.  I don't mind pointing the PDC at the router instead of the switch so long as it gets the time synced and trusts it from that point on.
  I was going to make the 3750 switch an NTP Master for the Network and point the PDC to it (as per my previous post) but I have noticed this morning that the NTP Master command isn't available on the 3750 as it has no hardware clock!
  Are you aware of any other way of forcing the 3750 to become a time source for the PDC without using the NTP Master command?  I have looked at the NTP Peer command and I have ruled this out already and I still need the switch to be a client of the NTP Master Router on the network
  Cheers for getting involved,
  David

• Cisco Catalyst 3850 as ntp master

  Hi All,
  I have 2 x Cisco Catalyst 3850 stacked together. What are your recommendations if I use the C3850 as a ntp master for all edge switches connected in my network? All edge switches must be authenticated if it needs NTP sychronization. But other than that, what are the downsides?
  For example,
  1. I heard that switches do not have an internal clock so is a poor device to be a centralized NTP master.
  2. I have also read that switches also have slow CPU processors that may lack the processing required.
  3. Its NTP sychronization will use external NTP servers which are resolved into IP addresses (e.g. pool.ntp.org). IP address can change. What other more reliable NTP sources are there?
  4. Any other thoughts and comments are most welcome.

  Firstly, DO NOT use the command "ntp master".  Cisco do not recommend using this commands because this will confuse the NTP propagation inside the network.  
  Next, all Cisco devices do not have a dedicated clock.  All appliances need to get SNTP/NTP time synch from somewhere.  This "somewhere" could either be a dedicated GPS-based NTP server and/or a time synch somewhere out in the internet.  
  You can also use the command "ntp update-calendar".  This new command allows appliances to take regular "snapshot" of the time and save it into the NVRAM.  In case there was a reboot or a power failure, the appliance's time is not too far away instead of waiting 5 to 10 minutes for SNTP/NTP to synch.

• Cisco 3750X as a NTP master

  Hi All,
  I would like to configure my core switches as the ntp master for the environment but also I would like to have the core switch sync with a public NTP server. Can you advise if this is possible? I have seen both commands available on the switch.
  Thanks

  It is possible but you do not have to use the command "ntp master" on your switch.  Point all your device to the switch and it should work.  
  The switch should be able to synchronize NTP with a trusted source.

• C3750X with IOS 15.0(2)SE6 as a NTP master

  Hi All,
  Is it possible to configure a C3750X with IOS 15.0(2)SE6 as a NTP master?
  The configuration guide for IOS 12.2(55)SE states that it cannot function as an NTP master, but the configuration guide for IOS 15.0(2)SE does not state a NTP master.
  - for IOS 12.2(55)SE
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swadmin.html#pgfId-1053923
  - for IOS 15.0(2)SE
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swadmin.html
  Thank you,

  I want the 3750X with IOS 15.0(2)SE6 as a NTP server from other devices in the same network if possible.
  The appliance can perform be as a "server" to other devices downstream PROVIDED the appliance gets synchronized to an authoritative server.  
  This is what we've done to our PCs, printers, phones, etc.  Our core router synchronizes with an authoritative server out the internet.  Our core switches synch with our core router.  Our distro router/switches synch with our core switch.  Our access switches synch with our distro.  PCs, printers, phones, etc synch with our on-site access switches.  

• Sandpit and master config

  What is the difference between Client 100 - Master Configuration and 110 - Sandpit

  Hi,
  The client Sandpit is nothing but the Sandbox in which we can play as per our own will and wish by doing some R & D. No need to generate any reuests here.
  Where as the other client Master Configuration is the one, in which we do the all config settings against which a request will be generated and that will be transported to other clients like Testing and PRD.
  Regards,
  Anji

• Vendor master config settings

  Hi
  Please provide me vendor master various configuration settings.
  Thanks
  Raju

  hi
  follow the following steps for vendor creation
  1. Acount group creation
  Finan accounting>acc receivable&payable>vendor acc>master record__> preparation for creating vendor master>define acc group with screen
  2 Assign acc group to no range
  3. define partner schema
  MM> purchasingà>partner determination>partner setting in VMR> define part schema
  4. assign partner schema to acc group
  5.define permissible partner roles
  6. now through XK01 tcode create vendor
  reward points if helpful
  regards
  chetan

• Can't verify the Master keys

  So, here's my issue. I set up pacman-key --init just fine.
  Then I tried to add the master keys, but receive the following error:
  pacman-key -r 0x6AC6A4C2 0x824B18E8 0x4C7EA887 0xCDFD6BB0 0xFFF979E7
  gpg: requesting key 6AC6A4C2 from hkp server pgp.mit.edu
  gpg: requesting key 824B18E8 from hkp server pgp.mit.edu
  gpg: requesting key 4C7EA887 from hkp server pgp.mit.edu
  gpg: requesting key CDFD6BB0 from hkp server pgp.mit.edu
  gpg: requesting key FFF979E7 from hkp server pgp.mit.edu
  gpg: keyserver timed out
  gpg: keyserver receive failed: keyserver error
  ==> Updating trust database...
  gpg: no need for a trustdb check
  Doing it one-by-one also fails (but doesn't time out):
  pacman-key -r 0x6AC6A4C2
  gpg: requesting key 6AC6A4C2 from hkp server pgp.mit.edu
  gpgkeys: key 6AC6A4C2 not found on keyserver
  gpg: no valid OpenPGP data found.
  gpg: Total number processed: 0
  ==> Updating trust database...
  gpg: no need for a trustdb check
  The default server (hkp://keys.gnupg.net) always times out.
  Ideas?

  I've tried every keyserver on the wiki page here with the same result: http://en.wikipedia.org/wiki/Key_server … keyservers

• Transport problem -Field selection -Material master config

  Hi
  I had done my Field selection config in Golden client and tried copying to the other client in the same box but the config remains uncopied ,has anyone come across this problem,if please let me know how to overcome.
  Regards
  Ratha

  It is very dangerous.
  Once the request no is created and it is released. you cannot do changes in the configuration .If you do changes then another request no will be created.
  Please ask your BASIS person.
  The procedure is normal procedure followed
  1.created  transport request say no AAA123  in Development
  2. released in SE10
  3Transported to Quality.
  4.do the check & testing. giving o.k to move to production
  5.Basis people will move the same request no from Quality to Production
  Hope you understand
  G.Ganesh Kumar

• How to config N5K as NTP server

                     I am testing N5K as NTP server feature. I have found a CLI in N7K: ntp master, but I have not found the similar command in N5K. I am running Nexus OS 5.2.1.N(1).
  Any config example would be greatly appreciated.
  Thx.
  gy

  i do not know for certain about the jsps you're talking about, but i would guess they should run just fine under jrun, and you wouldn't have to make jrun and jserv coexist.
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by One:
  Hi ilya:
  Thank you for your quick reply.
  I will try that way but I wonder if the thing like "how about the *.jsp developed by the JDeveloper and BC4J run under JRun; could and is it necessary to make the Apache+JServ and Apache+JRun co-exist ... "<HR></BLOCKQUOTE>
  null

• Firewall ASA as Master NTP

  Good Morning
  We are facing this issue regarding network infrastructure of some customers we take care.
  In those infrasctructure, only the network layer 3 is allowed to consult an NTP Master Server (as stratum 0 for example). Although this layer 3 device acts as a NTP client related to that server, for other devices in this infrastructure, the layer 3 becomes the master NTP (stratum > 0).
  For some infrastructures a firewall ASA performs the layer 3 role and must to be this way. Other devices depends on the firewall to synchronize the clock.
  The question is: how can we configure the ASA as a NTP server or is it not possible?

  I don't think there is any firmware support for using an ASA as an NTP time source, sorry.
  How deeply do you care about the stratum?  I run most of my clients at stratum 4, with only my outside DNS/NTP servers at stratum 3, consulting some upstream but nearby (inside the AS) stratum 2 servers.  This works fine; I'm not shooting for nanosecond precision.  There ought to be some NTP servers you can tap into closer than stratum 0 or 1.  Or you could buy a GPS based gizmo to act a a local time source.
  -- Jim Leinweber, WI State Lab of Hygiene

• Anyone got NTP working with a Windows 2008 NTP server?

  Hello,
  I'm trying to sync the time on our routers and swithces with a Windows 2008R2 server, but it doesn't work.  Has anyone managed to do this:
  Config:
  ntp master
  ntp update-calendar
  ntp server 192.168.2.164
  sh ntp associations
    address         ref clock         st   when   poll   reach    delay    offset     disp
  *~127.127.1.1     .LOCL.         7     11     16      377      0.000   0.000      0.225
  ~192.168.2.164  .INIT.          16      -      1024     0       0.000    0.000    15937.
  Windows 2008R2 server
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]"
  "Enabled"=dword:00000001
  restart server
  w32tm /config /manualpeerlist:uk.pool.ntp.org,0x8 /syncfromflags:MANUAL
  net stop w32time
  net start w32time
  Doesnt work
  Woudl Linux like Ubuntu be better?
  Thanks

  I got this working from a cisco 2911 router to Windows 7 computer.
  As per many articles, you are missing:-
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]"
  "AnnounceFlags"=dword:00000005
  But the one that allows Cisco kit to Sync is:-
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]"
  "LocalClockDispersion"=dword:00000000
  This article http://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/108076-ntp-troubleshoot.html talks about having a root-dispersion higher than 1000ms (1 second) causing Cisco IOS-NTP to unsynchronizes itself.
  This article http://htluo.blogspot.co.uk/2009/02/ntp-network-time-protocol.html#comment-form was the only one I found that added to the normal enable ntp server registry keys information, stating to change ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\LocalClockDispersion’  from 10 to 0
  There was also articles that said that the Windows NTP implementation was version 3, and therefore you had to append ‘version 3’ to the routers ‘ntp server x.x.x.x’ command. This may be perhaps true for earlier windows versions?, but was NOT required for Windows 7.

• NTP Log Errors

  So I just installed NTP on my server and verified everything is working as expected and please keep in mind I am very green w/ systemd:
  [root@ion101 ~]# systemctl status ntpd.service
  ● ntpd.service - Network Time Service
  Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
  Active: active (running) since Fri 2014-10-24 18:36:04 UTC; 7min ago
  Process: 196 ExecStart=/usr/bin/ntpd -g -u ntp:ntp (code=exited, status=0/SUCCESS)
  Main PID: 203 (ntpd)
  CGroup: /system.slice/ntpd.service
  └─203 /usr/bin/ntpd -g -u ntp:ntp
  Oct 24 18:36:04 ion101.orl.voxeo.net ntpd[203]: bind(21) AF_INET6 fe80::2000:bff:fe5e:878e%2%2#123 flags 0x11 failed: Cannot assign requested address
  Oct 24 18:36:04 ion101.orl.voxeo.net ntpd[203]: unable to create socket on eth0 (5) for fe80::2000:bff:fe5e:878e%2#123
  Oct 24 18:36:04 ion101.orl.voxeo.net ntpd[203]: failed to init interface for address fe80::2000:bff:fe5e:878e%2
  Oct 24 18:36:04 ion101.orl.voxeo.net ntpd[203]: Listening on routing socket on fd #21 for interface updates
  Oct 24 18:36:04 ion101.orl.voxeo.net systemd[1]: Started Network Time Service.
  Oct 24 18:36:05 ion101.orl.voxeo.net ntpd[203]: bind(24) AF_INET6 fe80::2000:bff:fe5e:878e%2%2#123 flags 0x11 failed: Cannot assign requested address
  Oct 24 18:36:05 ion101.orl.voxeo.net ntpd[203]: unable to create socket on eth0 (6) for fe80::2000:bff:fe5e:878e%2#123
  Oct 24 18:36:05 ion101.orl.voxeo.net ntpd[203]: failed to init interface for address fe80::2000:bff:fe5e:878e%2
  Oct 24 18:36:08 ion101.orl.voxeo.net ntpd[203]: Listen normally on 7 eth0 [fe80::2000:bff:fe5e:878e%2]:123
  Oct 24 18:36:08 ion101.orl.voxeo.net ntpd[203]: new interface(s) found: waking up resolver
  I don't USE or WANT IPv6 on my Arch Linux server so I verified the service is disabled:
  [root@ion101 ~]# systemctl status ip6tables.service
  ● ip6tables.service - IPv6 Packet Filtering Framework
  Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled)
  Active: inactive (dead)
  Can someone please help me understand the logs above and what that means? Is this normal or should I make a config change to tell my NTP daemon config to only use the IPv4 Interface?

  ip6tables is just the IPv6 firewall. If you want to disable IPv6 see https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6

• What is going wrong with this config ??

  Hello guys,
  I am busting my head to find out what is going wrong with this config and cant figure it out since i am not an advanced cisco technician.
  Problem is that i cant access the 94.70.142.127 server that is supposed to be in a DMZ zone.
  I know it is a bit chaotic but would really appreciate any help since i am running on a deadline.
  I am building the config step by step and although it seems to be working access to the server all of the sudden is denied.
  No idea if its a NAT issue a firewall issue or a security audit issue.
  There are 3 vlans.
  Vlan 1 is the inside network.
  Vlan 2 is the DMZ server
  Vlan 3 is the Management Network.
  thanks in advance
  Building configuration...
  Current configuration : 11796 bytes
  ! Last configuration change at 11:28:33 PCTime Fri Jan 4 2013 by admin
  ! NVRAM config last updated at 11:27:51 PCTime Fri Jan 4 2013 by admin
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime
  service password-encryption
  service sequence-numbers
  hostname R1
  boot-start-marker
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 8
  logging message-counter syslog
  logging buffered 4096 informational
  enable secret 5 $1$oT7y$BwhdEjMJfAaTQI3dzDVwP.
  no aaa new-model
  memory-size iomem 10
  clock timezone PCTime 2
  clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
  crypto pki trustpoint TP-self-signed-2567543707
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-2567543707
  revocation-check none
  rsakeypair TP-self-signed-2567543707
  crypto pki certificate chain TP-self-signed-2567543707
  certificate self-signed 01
    30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32353637 35343337 3037301E 170D3133 30313032 30383431
    35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35363735
    34333730 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100ABA4 B7FFF4F1 9FBE79D8 2CEBCA68 A14BE3AB DBF770C2 EB35A954 B271AE3E
    F8485837 F2E8566B 66E5EF6B BCFCDFA3 8F6F91F3 FD8E3015 879A67F5 85DD95F5
    C26875C0 2202CA6C CE95888F 545AB4F6 6F708A0E C65E78D1 60967480 5589F5EE
    80505E46 8767CE2C 37C994FE AB555AF0 BA4C4679 63FF7641 34FFF6EF 3EC38006
    46B90203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
    551D1104 10300E82 0C52312E 646F636E 65742E67 72301F06 03551D23 04183016
    8014F0DE 85318FB3 70C36B4A FEB4B0CA 446025F0 329C301D 0603551D 0E041604
    14F0DE85 318FB370 C36B4AFE B4B0CA44 6025F032 9C300D06 092A8648 86F70D01
    01040500 03818100 5D76D5F4 5FB659C3 1E5B3777 420E1703 CD019889 AE79390D
    A2AA4D26 AD9913B4 B3292277 97ACACDD D7093465 78279B4D 5FAC0A21 EFBF3B74
    6A25BC5B ACFB648F 08F92678 00BB495C 037DEAF7 C5910944 3D2C0643 EA19E9BD
    0AFE5423 AADBB3C2 B2C94296 DABE0D3D 6438F7A8 32B0A92B 3E8E0D26 635070A3
    ACF87E49 65A9E468
        quit
  no ip source-route
  ip cef
  no ip bootp server
  ip domain name docnet.gr
  ip name-server 195.170.0.1
  no ipv6 cef
  username admin privilege 15 view root secret 5 $1$Lny5$et1FhWOpIKOOYRUtN89H10
  archive
  log config
    hidekeys
  ip tcp synwait-time 10
  ip ssh version 2
  class-map type inspect match-any WebService
  match protocol http
  match protocol https
  class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
  match class-map WebService
  match access-group name WebServer
  class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-1
  match access-group name Spoofing
  class-map type inspect match-any CCP-Voice-permit
  match protocol h323
  match protocol skinny
  match protocol sip
  class-map type inspect match-any tcp-udp
  match protocol http
  match protocol https
  match protocol dns
  match protocol icmp
  class-map type inspect match-all ccp-cls--3
  match access-group name mng-out
  match class-map tcp-udp
  class-map type inspect match-all ccp-cls--2
  match access-group name mng-self
  class-map type inspect match-all ccp-cls--4
  match access-group name mng-out-drop
  class-map type inspect match-any ccp-cls-insp-traffic
  match protocol cuseeme
  match protocol dns
  match protocol ftp
  match protocol h323
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol netshow
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp extended
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
  class-map type inspect match-any http-https-DMZ
  match protocol http
  match protocol https
  class-map type inspect match-all sdm-cls--2
  match class-map http-https-DMZ
  match access-group name web_server
  class-map type inspect match-any MySQLService
  match protocol mysql
  class-map type inspect match-all sdm-cls--1
  match class-map MySQLService
  match access-group name DMZtoMySQL
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
  class-map type inspect match-all ccp-invalid-src
  match access-group 100
  class-map type inspect match-all sdm-nat-https-1
  match access-group 102
  match protocol https
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect ccp-icmp-access
    inspect
  class class-default
    pass
  policy-map type inspect sdm-pol-NATOutsideToInside-1
  class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-1
    drop
  class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
    inspect
  class type inspect sdm-nat-https-1
    inspect
  class class-default
    drop
  policy-map type inspect ccp-inspect
  class type inspect ccp-invalid-src
    drop log
  class type inspect ccp-protocol-http
    inspect
  class type inspect ccp-insp-traffic
    inspect
  class type inspect CCP-Voice-permit
    inspect
  class class-default
    drop
  policy-map type inspect ccp-permit
  class class-default
    drop
  policy-map type inspect sdm-policy-sdm-cls--1
  class type inspect sdm-cls--1
    inspect
  class class-default
    drop
  policy-map type inspect ccp-policy-ccp-cls--1
  class class-default
    drop
  policy-map type inspect ccp-policy-ccp-cls--3
  class type inspect ccp-cls--3
    inspect
  class class-default
    drop
  policy-map type inspect sdm-policy-sdm-cls--2
  class type inspect sdm-cls--2
    inspect
  class class-default
    drop
  policy-map type inspect ccp-policy-ccp-cls--2
  class type inspect ccp-cls--2
    inspect
  class class-default
    drop
  policy-map type inspect ccp-policy-ccp-cls--5
  class class-default
    drop
  zone security out-zone
  zone security in-zone
  zone security dmz-zone
  zone security mng
  zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
  service-policy type inspect sdm-pol-NATOutsideToInside-1
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security zp-dmz-to-outside source dmz-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security zp-outside-to-dmz source out-zone destination dmz-zone
  service-policy type inspect sdm-pol-NATOutsideToInside-1
  zone-pair security sdm-zp-dmz-zone-in-zone source dmz-zone destination in-zone
  service-policy type inspect sdm-policy-sdm-cls--1
  zone-pair security sdm-zp-in-zone-dmz-zone source in-zone destination dmz-zone
  service-policy type inspect sdm-policy-sdm-cls--2
  zone-pair security sdm-zp-dmz-zone-self source dmz-zone destination self
  service-policy type inspect ccp-policy-ccp-cls--1
  zone-pair security sdm-zp-mng-self source mng destination self
  service-policy type inspect ccp-policy-ccp-cls--2
  zone-pair security sdm-zp-mng-out-zone source mng destination out-zone
  service-policy type inspect ccp-policy-ccp-cls--3
  zone-pair security sdm-zp-out-zone-mng source out-zone destination mng
  service-policy type inspect ccp-policy-ccp-cls--5
  interface Null0
  no ip unreachables
  interface BRI0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  encapsulation hdlc
  shutdown
  isdn termination multidrop
  interface ATM0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  no atm ilmi-keepalive
  interface ATM0.1 point-to-point
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  pvc 8/35
    pppoe-client dial-pool-number 1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  switchport access vlan 3
  spanning-tree portfast
  interface FastEthernet3
  switchport access vlan 2
  interface Vlan1
  description $FW_INSIDE$
  ip address 192.168.0.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  zone-member security in-zone
  ip tcp adjust-mss 1412
  interface Vlan2
  description $FW_INSIDE$
  ip address 192.168.1.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  zone-member security dmz-zone
  interface Vlan3
  description $FW_INSIDE$
  ip address 10.0.10.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  zone-member security mng
  interface Dialer0
  description $FW_OUTSIDE$
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip mtu 1452
  ip flow ingress
  ip nat outside
  ip virtual-reassembly max-reassemblies 64
  zone-member security out-zone
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname [email protected]
  ppp chap password 7 0918425001505245
  ppp pap sent-username [email protected] password 7 13511B4B1359417D
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip route 10.0.10.0 255.255.255.0 Vlan3
  no ip http server
  ip http secure-server
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static 192.168.0.101 94.70.142.113
  ip nat inside source static 192.168.1.102 94.70.142.127
  ip access-list extended DMZtoMySQL
  remark CCP_ACL Category=128
  permit ip host 192.168.1.102 host 192.168.0.101
  ip access-list extended Spoofing
  remark CCP_ACL Category=128
  permit ip 10.0.0.0 0.255.255.255 any
  permit ip 192.168.0.0 0.0.255.255 any
  permit ip 172.16.0.0 0.15.255.255 any
  ip access-list extended VTY_incoming
  remark CCP_ACL Category=1
  permit ip host 10.0.10.2 any
  ip access-list extended WebServer
  remark CCP_ACL Category=128
  permit ip any host 192.168.1.102
  ip access-list extended mng-out
  remark CCP_ACL Category=128
  permit ip 10.0.10.0 0.0.0.255 any
  ip access-list extended mng-out-drop
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended mng-self
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended web_server
  remark CCP_ACL Category=128
  permit ip 192.168.0.0 0.0.0.255 host 192.168.1.102
  logging 10.0.10.2
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 remark VLan 1 Access
  access-list 1 permit 192.168.0.0 0.0.0.255
  access-list 1 remark VLan 3 Access
  access-list 1 permit 10.0.10.0 0.0.0.255
  access-list 1 remark Vlan 2 Access
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip any host 192.168.0.101
  dialer-list 1 protocol ip permit
  no cdp run
  control-plane
  banner login ^CWARNING!!!This is a highly monitored private system. Access is prohibited!!^C
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  access-class VTY_incoming in
  password 7 12292504011C5C162E
  login local
  transport input ssh
  scheduler max-task-time 5000
  ntp authentication-key 1 md5 10603D29214711255F106B2677 7
  ntp authenticate
  ntp trusted-key 1
  ntp master 2
  end

  Hello karolos,
  Here is the thing.
  You said you are trying to access 94.70.142.113 and that is a server on the DMZ but based in your configuration that is not true
  ip nat inside source static 192.168.0.101 94.70.142.113
  So 192.168.0.101 is on Vlan 1 witch is the in-zone
  interface Vlan1
  description $FW_INSIDE$
  ip address 192.168.0.1 255.255.255.0
  security in-zone
  If you got confused with  the security zone that the host is assigned to then just add the following and it should work
  ip access-list extended WebServer
  permit ip any host 192.168.0.101
  Regards

• NTP server unreachable through ASA firewall

  Hi all,
  I've configured a DMZ switch to point to an NTP server on on the Inside, but I get a debug message on the switch that says:
  NTP: <NTP server IP address> unreachable
  I'm confident that the NTP server is configured properly, as there are more than a dozen other hosts using it, successfully. The difficulty here is that the NTP packets are having to flow from the DMZ to the Inside. I have a rule set on the firewall that permits the IP address of the switch to connect to the IP address of the NTP server as follows:
  access-list intdmz1_acl extended permit udp host <IP address of switch> host <IP address of NTP server> eq ntp
  I can see the hit counter on this rule incrementing.
  The firewall can ping the NTP server, and the NTP server can ping the switch, so I think routing is OK.
  Output from the DMZ switch:
  switch#show ntp associations
        address         ref clock     st  when  poll reach  delay  offset    disp
  ~192.168.65.254   0.0.0.0          16     -    64    0     0.0    0.00  16000.
  * master (synced), # master (unsynced), + selected, - candidate, ~ configured
  switch#show ntp status
  Clock is unsynchronized, stratum 16, no reference clock
  nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
  reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
  clock offset is 0.0000 msec, root delay is 0.00 msec
  root dispersion is 0.00 msec, peer dispersion is 0.00 msec
  PRNLN-DMZ-SW01#sh run | inc ntp
  ntp source Vlan138
  ntp server 192.168.65.254
  ukhvdc00vs01#sh run | inc ntp
  ntp source Vlan65
  ntp master 3
  ntp update-calendar
  ntp server 0.uk.pool.ntp.org
  ntp server 1.uk.pool.ntp.org
  PRNLN-DMZ-SW01#show ntp status
  Clock is unsynchronized, stratum 16, no reference clock
  nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
  reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
  clock offset is 0.0000 msec, root delay is 0.00 msec
  root dispersion is 0.00 msec, peer dispersion is 0.00 msec
  Does the firewall rule need to permit more than UDP/123 for this to work perhaps?
  NTPconfig on DMZ switch:
  switch#sh run | inc ntp
  ntp source Vlan138
  ntp server <IP address of NTP server>
  ===================
  NTP config on NTP server:
  NTP_Server#sh run | inc ntp
  ntp source Vlan65
  ntp master 3
  ntp update-calendar
  ntp server 0.uk.pool.ntp.org
  ntp server 1.uk.pool.ntp.org
  Any guidance welcomed.
  Thank you,
  Olly

  Hi Julio,
  Hi Julio,
  For the purposes of this information:
  DMZ switch IP = 5.6.7.8
  NTP server IP = 10.1.1.1
  Here's the output from the show commands:
  ciscoasa# show capture NTPCAPTUREDMZ
  11 packets captured
     1: 16:22:05.271500 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     2: 16:23:09.276185 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     3: 16:24:13.274033 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     4: 16:24:57.272813 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     5: 16:24:58.279480 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     6: 16:24:59.277817 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     7: 16:25:00.275971 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     8: 16:25:01.275559 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     9: 16:25:02.272599 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
    10: 16:25:03.279129 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
    11: 16:25:04.277710 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  11 packets shown
  ciscoasa# show capture NTPCAPTUREINSIDE
  0 packet captured
  0 packet shown
  ciscoasa# show capture NTPASP | include 10.1.1.1
  419: 16:24:13.274171 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1820: 16:24:57.272904 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1841: 16:24:58.279587 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1876: 16:24:59.277909 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1934: 16:25:00.276062 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2027: 16:25:01.275651 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2068: 16:25:02.272690 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2095: 16:25:03.279221 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2129: 16:25:04.277802 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2200: 16:25:05.275849 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2233: 16:25:06.274094 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2275: 16:25:07.273606 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2327: 16:25:08.280182 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2347: 16:25:09.277222 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2373: 16:25:10.275467 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2399: 16:25:11.273759 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2414: 16:25:12.273347 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  I'm guessing we should see some packets in the second capture, but we're not...
  Does this help?
  Thanks!
  Olly