Verify NTP master config
I have a router BRI_2811_1 which is getting NTP from 10.66.41.201 and this is working.
When i then wish to make BRI_2811_1 the master for my local network, the internal clock on this router is coming up as "insane". Why is this is so? Eventually i would like all my switches to look to BRI_2811 as their NTP master.
BRI_2811_1#show run | i ntp|clock
clock timezone AEST 10 0
clock calendar-valid
ntp source Loopback0
ntp master 6
ntp server 10.66.41.201
BRI_2811_1#
BRI_2811_1#
BRI_2811_1#show ntp stat
BRI_2811_1#show ntp status
Clock is synchronized, stratum 5, reference is 10.66.41.201
nominal freq is 250.0000 Hz, actual freq is 249.9950 Hz, precision is 2**24
reference time is D8E4D87D.4E30DD39 (00:58:05.305 AEST Sat Apr 25 2015)
clock offset is -5.1655 msec, root delay is 57.61 msec
root dispersion is 326.92 msec, peer dispersion is 3.74 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000019698 s/s
system poll interval is 64, last update was 172 sec ago.
BRI_2811_1#
BRI_2811_1#show ntp ass
address ref clock st when poll reach delay offset disp
~127.127.1.1 .LOCL. 5 13 16 377 0.000 0.000 0.243
*~10.66.41.201 10.66.9.16 4 48 64 377 22.535 -5.165 3.749
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
BRI_2811_1#
BRI_2811_1#show ntp ass det
127.127.1.1 configured, insane, invalid, stratum 5
ref ID .LOCL., time D8E4D932.4915B594 (01:01:06.285 AEST Sat Apr 25 2015)
our mode active, peer mode passive, our poll intvl 16, peer poll intvl 16
root delay 0.00 msec, root disp 0.00, reach 377, sync dist 2.74
delay 0.00 msec, offset 0.0000 msec, dispersion 0.24
precision 2**24, version 4
org time D8E4D932.4915B594 (01:01:06.285 AEST Sat Apr 25 2015)
rec time D8E4D932.491675DE (01:01:06.285 AEST Sat Apr 25 2015)
xmt time D8E4D932.49152E3B (01:01:06.285 AEST Sat Apr 25 2015)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 0.00 0.25 0.51 0.75 1.02 1.26 1.51 1.75
minpoll = 4, maxpoll = 4
10.66.41.201 configured, our_master, sane, valid, stratum 4
ref ID 43.66.9.16 , time D8E4D803.F3B64840 (00:56:03.952 AEST Sat Apr 25 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 35.07 msec, root disp 317.04, reach 377, sync dist 386.52
delay 22.53 msec, offset -5.1655 msec, dispersion 3.74
precision 2**10, version 4
org time D8E4D8FE.4A7EFAA8 (01:00:14.291 AEST Sat Apr 25 2015)
rec time D8E4D8FE.4EB368F5 (01:00:14.307 AEST Sat Apr 25 2015)
xmt time D8E4D8FE.48E78643 (01:00:14.284 AEST Sat Apr 25 2015)
filtdelay = 22.64 22.77 22.53 22.65 22.82 22.97 22.57 22.82
filtoffset = -5.10 -5.22 -5.16 -6.06 -5.33 -6.43 -6.73 -6.89
filterror = 0.97 1.96 2.91 3.85 4.83 5.80 6.75 7.72
minpoll = 6, maxpoll = 10
no access groups at all and router is next hop
HQ-3845#show clock det
10:40:01.020 AEST Sun Apr 26 2015
Time source is NTP
HQ-3845#sho ntp ass det
127.127.1.1 configured, insane, invalid, stratum 6
ref ID .LOCL., time D8E6B25A.72DE3D46 (10:39:54.448 AEST Sun Apr 26 2015)
our mode active, peer mode passive, our poll intvl 16, peer poll intvl 16
root delay 0.00 msec, root disp 0.00, reach 377, sync dist 2.96
delay 0.00 msec, offset 0.0000 msec, dispersion 0.24
precision 2**24, version 4
org time D8E6B25A.72DE3D46 (10:39:54.448 AEST Sun Apr 26 2015)
rec time D8E6B25A.72DE9CB0 (10:39:54.448 AEST Sun Apr 26 2015)
xmt time D8E6B25A.72DE0842 (10:39:54.448 AEST Sun Apr 26 2015)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 0.00 0.25 0.49 0.73 0.99 1.26 1.53 1.78
minpoll = 4, maxpoll = 4
10.66.202.252 configured, our_master, sane, valid, stratum 4
ref ID 10.66.9.16 , time D8E6B1CB.E328A743 (10:37:31.887 AEST Sun Apr 26 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 74.53 msec, root disp 189.16, reach 377, sync dist 306.79
delay 0.61 msec, offset -1.8279 msec, dispersion 4.73
precision 2**22, version 4
org time D8E6B23E.726564BD (10:39:26.446 AEST Sun Apr 26 2015)
rec time D8E6B23E.72FFC6BD (10:39:26.449 AEST Sun Apr 26 2015)
xmt time D8E6B23E.72CFC2A8 (10:39:26.448 AEST Sun Apr 26 2015)
filtdelay = 0.71 0.68 0.71 0.68 0.72 0.73 0.70 0.61
filtoffset = -1.99 -1.97 -1.96 -1.97 -1.97 -1.97 -1.90 -1.82
filterror = 0.00 0.99 1.93 2.91 3.90 4.87 5.82 6.81
minpoll = 6, maxpoll = 10
Similar Messages
-
Using a Cisco Switch as the NTP Master time source for a Windows PDC
Hi all,
We have a closed network (no connectivity to the internet) and we have a Core router setup as the NTP Master for the rest of the network.
All network devices are getting the time synced as intended but we are having issues getting the Primary Domain Controller (PDC) registering to it as a valid NTP time source.
The problem we have is that we are affected by IOS bug CSCed13703 which rejects the PDC as an NTP associated device. Short of changing the IOS on the Router which is the main router feeding 30 other sites I would like to point the PDC at a different switch (an NTP Client switch) as it’s NTP source, rather than it going to the actual NTP Master.
I have changed the values in the PDC to point to a different switch (3750) that has it’s time synced with the NTP master, but the PDC doesn’t want to know. I assume it will only accept the time from an official NTP Master .
Could any of you fine people advise if what I am trying to do is possible and if so how I would go about it. I was thinking of setting the 3750 with the NTP Master command also, but I don’t want to confuse the other cisco devices in the network
Thanks in advance
DavidThanks Marvin,
I can confirm the Stratum on the 3750 is set to 15. This is due to the NTP Time source being an internal router and not an authoritative time source out on the internet. When setting the clock and using the NTP Master command on my internal router it sets the Stratum level to 14.
I have pointed the PDC at the Router (Stratum 14) and it does successfully sync time, but won't trust it as a valid source after the first sync. Upon reading I believed this to be the IOS bug as the symptoms are identical. Your theory of the PDC requiring a Stratum 2 time source is logical (especially in this scenario) but I have seen them use Stratum 4 before and it worked just fine.
I guess I could change the Router acting as a time source for the network to be NTP Master 1 which should force Stratum 1 giving the PDC and all other switches pointing to it a Stratumlevel of 2 which would prove it either way. I don't mind pointing the PDC at the router instead of the switch so long as it gets the time synced and trusts it from that point on.
I was going to make the 3750 switch an NTP Master for the Network and point the PDC to it (as per my previous post) but I have noticed this morning that the NTP Master command isn't available on the 3750 as it has no hardware clock!
Are you aware of any other way of forcing the 3750 to become a time source for the PDC without using the NTP Master command? I have looked at the NTP Peer command and I have ruled this out already and I still need the switch to be a client of the NTP Master Router on the network
Cheers for getting involved,
David -
Cisco Catalyst 3850 as ntp master
Hi All,
I have 2 x Cisco Catalyst 3850 stacked together. What are your recommendations if I use the C3850 as a ntp master for all edge switches connected in my network? All edge switches must be authenticated if it needs NTP sychronization. But other than that, what are the downsides?
For example,
1. I heard that switches do not have an internal clock so is a poor device to be a centralized NTP master.
2. I have also read that switches also have slow CPU processors that may lack the processing required.
3. Its NTP sychronization will use external NTP servers which are resolved into IP addresses (e.g. pool.ntp.org). IP address can change. What other more reliable NTP sources are there?
4. Any other thoughts and comments are most welcome.Firstly, DO NOT use the command "ntp master". Cisco do not recommend using this commands because this will confuse the NTP propagation inside the network.
Next, all Cisco devices do not have a dedicated clock. All appliances need to get SNTP/NTP time synch from somewhere. This "somewhere" could either be a dedicated GPS-based NTP server and/or a time synch somewhere out in the internet.
You can also use the command "ntp update-calendar". This new command allows appliances to take regular "snapshot" of the time and save it into the NVRAM. In case there was a reboot or a power failure, the appliance's time is not too far away instead of waiting 5 to 10 minutes for SNTP/NTP to synch. -
Hi All,
I would like to configure my core switches as the ntp master for the environment but also I would like to have the core switch sync with a public NTP server. Can you advise if this is possible? I have seen both commands available on the switch.
ThanksIt is possible but you do not have to use the command "ntp master" on your switch. Point all your device to the switch and it should work.
The switch should be able to synchronize NTP with a trusted source. -
C3750X with IOS 15.0(2)SE6 as a NTP master
Hi All,
Is it possible to configure a C3750X with IOS 15.0(2)SE6 as a NTP master?
The configuration guide for IOS 12.2(55)SE states that it cannot function as an NTP master, but the configuration guide for IOS 15.0(2)SE does not state a NTP master.
- for IOS 12.2(55)SE
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swadmin.html#pgfId-1053923
- for IOS 15.0(2)SE
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swadmin.html
Thank you,I want the 3750X with IOS 15.0(2)SE6 as a NTP server from other devices in the same network if possible.
The appliance can perform be as a "server" to other devices downstream PROVIDED the appliance gets synchronized to an authoritative server.
This is what we've done to our PCs, printers, phones, etc. Our core router synchronizes with an authoritative server out the internet. Our core switches synch with our core router. Our distro router/switches synch with our core switch. Our access switches synch with our distro. PCs, printers, phones, etc synch with our on-site access switches. -
What is the difference between Client 100 - Master Configuration and 110 - Sandpit
Hi,
The client Sandpit is nothing but the Sandbox in which we can play as per our own will and wish by doing some R & D. No need to generate any reuests here.
Where as the other client Master Configuration is the one, in which we do the all config settings against which a request will be generated and that will be transported to other clients like Testing and PRD.
Regards,
Anji -
Hi
Please provide me vendor master various configuration settings.
Thanks
Rajuhi
follow the following steps for vendor creation
1. Acount group creation
Finan accounting>acc receivable&payable>vendor acc>master record__> preparation for creating vendor master>define acc group with screen
2 Assign acc group to no range
3. define partner schema
MM> purchasingà>partner determination>partner setting in VMR> define part schema
4. assign partner schema to acc group
5.define permissible partner roles
6. now through XK01 tcode create vendor
reward points if helpful
regards
chetan -
So, here's my issue. I set up pacman-key --init just fine.
Then I tried to add the master keys, but receive the following error:
pacman-key -r 0x6AC6A4C2 0x824B18E8 0x4C7EA887 0xCDFD6BB0 0xFFF979E7
gpg: requesting key 6AC6A4C2 from hkp server pgp.mit.edu
gpg: requesting key 824B18E8 from hkp server pgp.mit.edu
gpg: requesting key 4C7EA887 from hkp server pgp.mit.edu
gpg: requesting key CDFD6BB0 from hkp server pgp.mit.edu
gpg: requesting key FFF979E7 from hkp server pgp.mit.edu
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error
==> Updating trust database...
gpg: no need for a trustdb check
Doing it one-by-one also fails (but doesn't time out):
pacman-key -r 0x6AC6A4C2
gpg: requesting key 6AC6A4C2 from hkp server pgp.mit.edu
gpgkeys: key 6AC6A4C2 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
==> Updating trust database...
gpg: no need for a trustdb check
The default server (hkp://keys.gnupg.net) always times out.
Ideas?I've tried every keyserver on the wiki page here with the same result: http://en.wikipedia.org/wiki/Key_server … keyservers
-
Transport problem -Field selection -Material master config
Hi
I had done my Field selection config in Golden client and tried copying to the other client in the same box but the config remains uncopied ,has anyone come across this problem,if please let me know how to overcome.
Regards
RathaIt is very dangerous.
Once the request no is created and it is released. you cannot do changes in the configuration .If you do changes then another request no will be created.
Please ask your BASIS person.
The procedure is normal procedure followed
1.created transport request say no AAA123 in Development
2. released in SE10
3Transported to Quality.
4.do the check & testing. giving o.k to move to production
5.Basis people will move the same request no from Quality to Production
Hope you understand
G.Ganesh Kumar -
How to config N5K as NTP server
I am testing N5K as NTP server feature. I have found a CLI in N7K: ntp master, but I have not found the similar command in N5K. I am running Nexus OS 5.2.1.N(1).
Any config example would be greatly appreciated.
Thx.
gyi do not know for certain about the jsps you're talking about, but i would guess they should run just fine under jrun, and you wouldn't have to make jrun and jserv coexist.
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by One:
Hi ilya:
Thank you for your quick reply.
I will try that way but I wonder if the thing like "how about the *.jsp developed by the JDeveloper and BC4J run under JRun; could and is it necessary to make the Apache+JServ and Apache+JRun co-exist ... "<HR></BLOCKQUOTE>
null -
Good Morning
We are facing this issue regarding network infrastructure of some customers we take care.
In those infrasctructure, only the network layer 3 is allowed to consult an NTP Master Server (as stratum 0 for example). Although this layer 3 device acts as a NTP client related to that server, for other devices in this infrastructure, the layer 3 becomes the master NTP (stratum > 0).
For some infrastructures a firewall ASA performs the layer 3 role and must to be this way. Other devices depends on the firewall to synchronize the clock.
The question is: how can we configure the ASA as a NTP server or is it not possible?I don't think there is any firmware support for using an ASA as an NTP time source, sorry.
How deeply do you care about the stratum? I run most of my clients at stratum 4, with only my outside DNS/NTP servers at stratum 3, consulting some upstream but nearby (inside the AS) stratum 2 servers. This works fine; I'm not shooting for nanosecond precision. There ought to be some NTP servers you can tap into closer than stratum 0 or 1. Or you could buy a GPS based gizmo to act a a local time source.
-- Jim Leinweber, WI State Lab of Hygiene -
Anyone got NTP working with a Windows 2008 NTP server?
Hello,
I'm trying to sync the time on our routers and swithces with a Windows 2008R2 server, but it doesn't work. Has anyone managed to do this:
Config:
ntp master
ntp update-calendar
ntp server 192.168.2.164
sh ntp associations
address ref clock st when poll reach delay offset disp
*~127.127.1.1 .LOCL. 7 11 16 377 0.000 0.000 0.225
~192.168.2.164 .INIT. 16 - 1024 0 0.000 0.000 15937.
Windows 2008R2 server
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]"
"Enabled"=dword:00000001
restart server
w32tm /config /manualpeerlist:uk.pool.ntp.org,0x8 /syncfromflags:MANUAL
net stop w32time
net start w32time
Doesnt work
Woudl Linux like Ubuntu be better?
ThanksI got this working from a cisco 2911 router to Windows 7 computer.
As per many articles, you are missing:-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]"
"AnnounceFlags"=dword:00000005
But the one that allows Cisco kit to Sync is:-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]"
"LocalClockDispersion"=dword:00000000
This article http://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/108076-ntp-troubleshoot.html talks about having a root-dispersion higher than 1000ms (1 second) causing Cisco IOS-NTP to unsynchronizes itself.
This article http://htluo.blogspot.co.uk/2009/02/ntp-network-time-protocol.html#comment-form was the only one I found that added to the normal enable ntp server registry keys information, stating to change ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\LocalClockDispersion’ from 10 to 0
There was also articles that said that the Windows NTP implementation was version 3, and therefore you had to append ‘version 3’ to the routers ‘ntp server x.x.x.x’ command. This may be perhaps true for earlier windows versions?, but was NOT required for Windows 7. -
So I just installed NTP on my server and verified everything is working as expected and please keep in mind I am very green w/ systemd:
[root@ion101 ~]# systemctl status ntpd.service
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
Active: active (running) since Fri 2014-10-24 18:36:04 UTC; 7min ago
Process: 196 ExecStart=/usr/bin/ntpd -g -u ntp:ntp (code=exited, status=0/SUCCESS)
Main PID: 203 (ntpd)
CGroup: /system.slice/ntpd.service
└─203 /usr/bin/ntpd -g -u ntp:ntp
Oct 24 18:36:04 ion101.orl.voxeo.net ntpd[203]: bind(21) AF_INET6 fe80::2000:bff:fe5e:878e%2%2#123 flags 0x11 failed: Cannot assign requested address
Oct 24 18:36:04 ion101.orl.voxeo.net ntpd[203]: unable to create socket on eth0 (5) for fe80::2000:bff:fe5e:878e%2#123
Oct 24 18:36:04 ion101.orl.voxeo.net ntpd[203]: failed to init interface for address fe80::2000:bff:fe5e:878e%2
Oct 24 18:36:04 ion101.orl.voxeo.net ntpd[203]: Listening on routing socket on fd #21 for interface updates
Oct 24 18:36:04 ion101.orl.voxeo.net systemd[1]: Started Network Time Service.
Oct 24 18:36:05 ion101.orl.voxeo.net ntpd[203]: bind(24) AF_INET6 fe80::2000:bff:fe5e:878e%2%2#123 flags 0x11 failed: Cannot assign requested address
Oct 24 18:36:05 ion101.orl.voxeo.net ntpd[203]: unable to create socket on eth0 (6) for fe80::2000:bff:fe5e:878e%2#123
Oct 24 18:36:05 ion101.orl.voxeo.net ntpd[203]: failed to init interface for address fe80::2000:bff:fe5e:878e%2
Oct 24 18:36:08 ion101.orl.voxeo.net ntpd[203]: Listen normally on 7 eth0 [fe80::2000:bff:fe5e:878e%2]:123
Oct 24 18:36:08 ion101.orl.voxeo.net ntpd[203]: new interface(s) found: waking up resolver
I don't USE or WANT IPv6 on my Arch Linux server so I verified the service is disabled:
[root@ion101 ~]# systemctl status ip6tables.service
● ip6tables.service - IPv6 Packet Filtering Framework
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled)
Active: inactive (dead)
Can someone please help me understand the logs above and what that means? Is this normal or should I make a config change to tell my NTP daemon config to only use the IPv4 Interface?ip6tables is just the IPv6 firewall. If you want to disable IPv6 see https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6
-
What is going wrong with this config ??
Hello guys,
I am busting my head to find out what is going wrong with this config and cant figure it out since i am not an advanced cisco technician.
Problem is that i cant access the 94.70.142.127 server that is supposed to be in a DMZ zone.
I know it is a bit chaotic but would really appreciate any help since i am running on a deadline.
I am building the config step by step and although it seems to be working access to the server all of the sudden is denied.
No idea if its a NAT issue a firewall issue or a security audit issue.
There are 3 vlans.
Vlan 1 is the inside network.
Vlan 2 is the DMZ server
Vlan 3 is the Management Network.
thanks in advance
Building configuration...
Current configuration : 11796 bytes
! Last configuration change at 11:28:33 PCTime Fri Jan 4 2013 by admin
! NVRAM config last updated at 11:27:51 PCTime Fri Jan 4 2013 by admin
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
hostname R1
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 8
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 $1$oT7y$BwhdEjMJfAaTQI3dzDVwP.
no aaa new-model
memory-size iomem 10
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
crypto pki trustpoint TP-self-signed-2567543707
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2567543707
revocation-check none
rsakeypair TP-self-signed-2567543707
crypto pki certificate chain TP-self-signed-2567543707
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353637 35343337 3037301E 170D3133 30313032 30383431
35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35363735
34333730 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ABA4 B7FFF4F1 9FBE79D8 2CEBCA68 A14BE3AB DBF770C2 EB35A954 B271AE3E
F8485837 F2E8566B 66E5EF6B BCFCDFA3 8F6F91F3 FD8E3015 879A67F5 85DD95F5
C26875C0 2202CA6C CE95888F 545AB4F6 6F708A0E C65E78D1 60967480 5589F5EE
80505E46 8767CE2C 37C994FE AB555AF0 BA4C4679 63FF7641 34FFF6EF 3EC38006
46B90203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C52312E 646F636E 65742E67 72301F06 03551D23 04183016
8014F0DE 85318FB3 70C36B4A FEB4B0CA 446025F0 329C301D 0603551D 0E041604
14F0DE85 318FB370 C36B4AFE B4B0CA44 6025F032 9C300D06 092A8648 86F70D01
01040500 03818100 5D76D5F4 5FB659C3 1E5B3777 420E1703 CD019889 AE79390D
A2AA4D26 AD9913B4 B3292277 97ACACDD D7093465 78279B4D 5FAC0A21 EFBF3B74
6A25BC5B ACFB648F 08F92678 00BB495C 037DEAF7 C5910944 3D2C0643 EA19E9BD
0AFE5423 AADBB3C2 B2C94296 DABE0D3D 6438F7A8 32B0A92B 3E8E0D26 635070A3
ACF87E49 65A9E468
quit
no ip source-route
ip cef
no ip bootp server
ip domain name docnet.gr
ip name-server 195.170.0.1
no ipv6 cef
username admin privilege 15 view root secret 5 $1$Lny5$et1FhWOpIKOOYRUtN89H10
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh version 2
class-map type inspect match-any WebService
match protocol http
match protocol https
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map WebService
match access-group name WebServer
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-1
match access-group name Spoofing
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any tcp-udp
match protocol http
match protocol https
match protocol dns
match protocol icmp
class-map type inspect match-all ccp-cls--3
match access-group name mng-out
match class-map tcp-udp
class-map type inspect match-all ccp-cls--2
match access-group name mng-self
class-map type inspect match-all ccp-cls--4
match access-group name mng-out-drop
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any http-https-DMZ
match protocol http
match protocol https
class-map type inspect match-all sdm-cls--2
match class-map http-https-DMZ
match access-group name web_server
class-map type inspect match-any MySQLService
match protocol mysql
class-map type inspect match-all sdm-cls--1
match class-map MySQLService
match access-group name DMZtoMySQL
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-1
drop
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat-https-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--1
class type inspect sdm-cls--1
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--3
class type inspect ccp-cls--3
inspect
class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--2
class type inspect sdm-cls--2
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--5
class class-default
drop
zone security out-zone
zone security in-zone
zone security dmz-zone
zone security mng
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security zp-dmz-to-outside source dmz-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security zp-outside-to-dmz source out-zone destination dmz-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-dmz-zone-in-zone source dmz-zone destination in-zone
service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-in-zone-dmz-zone source in-zone destination dmz-zone
service-policy type inspect sdm-policy-sdm-cls--2
zone-pair security sdm-zp-dmz-zone-self source dmz-zone destination self
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-mng-self source mng destination self
service-policy type inspect ccp-policy-ccp-cls--2
zone-pair security sdm-zp-mng-out-zone source mng destination out-zone
service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-out-zone-mng source out-zone destination mng
service-policy type inspect ccp-policy-ccp-cls--5
interface Null0
no ip unreachables
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
switchport access vlan 3
spanning-tree portfast
interface FastEthernet3
switchport access vlan 2
interface Vlan1
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
interface Vlan2
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
interface Vlan3
description $FW_INSIDE$
ip address 10.0.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security mng
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly max-reassemblies 64
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 0918425001505245
ppp pap sent-username [email protected] password 7 13511B4B1359417D
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.10.0 255.255.255.0 Vlan3
no ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.0.101 94.70.142.113
ip nat inside source static 192.168.1.102 94.70.142.127
ip access-list extended DMZtoMySQL
remark CCP_ACL Category=128
permit ip host 192.168.1.102 host 192.168.0.101
ip access-list extended Spoofing
remark CCP_ACL Category=128
permit ip 10.0.0.0 0.255.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
permit ip 172.16.0.0 0.15.255.255 any
ip access-list extended VTY_incoming
remark CCP_ACL Category=1
permit ip host 10.0.10.2 any
ip access-list extended WebServer
remark CCP_ACL Category=128
permit ip any host 192.168.1.102
ip access-list extended mng-out
remark CCP_ACL Category=128
permit ip 10.0.10.0 0.0.0.255 any
ip access-list extended mng-out-drop
remark CCP_ACL Category=128
permit ip any any
ip access-list extended mng-self
remark CCP_ACL Category=128
permit ip any any
ip access-list extended web_server
remark CCP_ACL Category=128
permit ip 192.168.0.0 0.0.0.255 host 192.168.1.102
logging 10.0.10.2
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 remark VLan 1 Access
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 remark VLan 3 Access
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 1 remark Vlan 2 Access
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.0.101
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner login ^CWARNING!!!This is a highly monitored private system. Access is prohibited!!^C
line con 0
no modem enable
line aux 0
line vty 0 4
access-class VTY_incoming in
password 7 12292504011C5C162E
login local
transport input ssh
scheduler max-task-time 5000
ntp authentication-key 1 md5 10603D29214711255F106B2677 7
ntp authenticate
ntp trusted-key 1
ntp master 2
endHello karolos,
Here is the thing.
You said you are trying to access 94.70.142.113 and that is a server on the DMZ but based in your configuration that is not true
ip nat inside source static 192.168.0.101 94.70.142.113
So 192.168.0.101 is on Vlan 1 witch is the in-zone
interface Vlan1
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
security in-zone
If you got confused with the security zone that the host is assigned to then just add the following and it should work
ip access-list extended WebServer
permit ip any host 192.168.0.101
Regards -
NTP server unreachable through ASA firewall
Hi all,
I've configured a DMZ switch to point to an NTP server on on the Inside, but I get a debug message on the switch that says:
NTP: <NTP server IP address> unreachable
I'm confident that the NTP server is configured properly, as there are more than a dozen other hosts using it, successfully. The difficulty here is that the NTP packets are having to flow from the DMZ to the Inside. I have a rule set on the firewall that permits the IP address of the switch to connect to the IP address of the NTP server as follows:
access-list intdmz1_acl extended permit udp host <IP address of switch> host <IP address of NTP server> eq ntp
I can see the hit counter on this rule incrementing.
The firewall can ping the NTP server, and the NTP server can ping the switch, so I think routing is OK.
Output from the DMZ switch:
switch#show ntp associations
address ref clock st when poll reach delay offset disp
~192.168.65.254 0.0.0.0 16 - 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
switch#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
PRNLN-DMZ-SW01#sh run | inc ntp
ntp source Vlan138
ntp server 192.168.65.254
ukhvdc00vs01#sh run | inc ntp
ntp source Vlan65
ntp master 3
ntp update-calendar
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
PRNLN-DMZ-SW01#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
Does the firewall rule need to permit more than UDP/123 for this to work perhaps?
NTPconfig on DMZ switch:
switch#sh run | inc ntp
ntp source Vlan138
ntp server <IP address of NTP server>
===================
NTP config on NTP server:
NTP_Server#sh run | inc ntp
ntp source Vlan65
ntp master 3
ntp update-calendar
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
Any guidance welcomed.
Thank you,
OllyHi Julio,
Hi Julio,
For the purposes of this information:
DMZ switch IP = 5.6.7.8
NTP server IP = 10.1.1.1
Here's the output from the show commands:
ciscoasa# show capture NTPCAPTUREDMZ
11 packets captured
1: 16:22:05.271500 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2: 16:23:09.276185 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
3: 16:24:13.274033 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
4: 16:24:57.272813 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
5: 16:24:58.279480 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
6: 16:24:59.277817 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
7: 16:25:00.275971 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
8: 16:25:01.275559 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
9: 16:25:02.272599 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
10: 16:25:03.279129 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
11: 16:25:04.277710 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
11 packets shown
ciscoasa# show capture NTPCAPTUREINSIDE
0 packet captured
0 packet shown
ciscoasa# show capture NTPASP | include 10.1.1.1
419: 16:24:13.274171 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
1820: 16:24:57.272904 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
1841: 16:24:58.279587 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
1876: 16:24:59.277909 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
1934: 16:25:00.276062 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2027: 16:25:01.275651 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2068: 16:25:02.272690 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2095: 16:25:03.279221 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2129: 16:25:04.277802 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2200: 16:25:05.275849 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2233: 16:25:06.274094 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2275: 16:25:07.273606 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2327: 16:25:08.280182 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2347: 16:25:09.277222 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2373: 16:25:10.275467 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2399: 16:25:11.273759 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2414: 16:25:12.273347 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
I'm guessing we should see some packets in the second capture, but we're not...
Does this help?
Thanks!
Olly
Maybe you are looking for
-
Macbook Pro 13 inch & External Display - resolution problem
Hi I'm trying to connect my macbook pro 13inch to an NEC 26' Multisync display - which has a native resolution of 1900 x 1200 - and when connected to a PC this is what I get. When I connect the mac though the top resolution is 1900 x 1080 - so the di
-
All my photos on my phone are in one album. Is there a way to create new albums and move some of them?
-
Deleted Adobe_Lightroom_x86.msi by accident - cannot update Lightroom
While cleaning out my boot disk recently, the .msi extension made me think that it was just unused installation files, so I deleted this file from the disk permanently. Is there any way to get it back, or re-instate this file from sources? Lightroom
-
Macbook pro using a lot of hard drive space
I just bought the new macbook pro with the 250 gig hard drive.. but without even transferring anything at all to my new mac from my old.. it already says it only has 178.1 gig's of hard drive space available.. is it seriously already using over 50 gi
-
Safari 5 extremely slow and unstable, feels like early beta
Hi, since i upgraded to safari 5 the browser is extremely slow on loading webpages, unresponsive and often can't establish any connection to websites at all. one time it even crashed. the whole thing feels like an early beta. i have no addons or what