Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : NTP and PIX Firewalls

NTP and PIX Firewalls

Feb 02,2010 by alperen

small font medium font large font
image

Cisco’s NTP implementation devices don’t support stratum 1 service because, currently, no way exists to connect to a radio or an atomic clock. Most networks use a host server, such as Windows, UNIX, or Linux, which is running a NTP server service. This server can synchronize with the public NTP servers available on the IP Internet. Also possible is to synchronize directly with one of the Internet-based NTP servers.

Configuring NTP Support

Four configuration mode commands are used to synchronize a PIX Firewall with a network time server using the NTP. These ntp command variations identify the time server(s) and synchronize the PIX Firewall according to the configured options.

The ntp authenticate command enables NTP authentication on the device.

pix(config)#ntp authenticate
pix(config)#no ntp authenticate

The ntp authentication-key command is used if authentication between the firewall and the NTP server is required. Conceptually, this is similar to the AAA tacacs-server key command covered in Chapter 3. The key’s role is to ensure that only authorized partners are engaging in transactions. If authentication is used, the PIX Firewall and NTP server must share the same key.

pix(config)#ntp authentication-key number md5 value
pix(config)#no ntp authentication-key number md5 value

number

The authentication key number (1 to 4294967295).

md5

The encryption algorithm.

value

An arbitrary string of up to 32 characters. This key value appears as ********** when the configuration is viewed with the write terminal command or the show tech-support command.

The ntp server command is used to tell the PIX Firewall which interfaces to listen to (port 123) for NTP packets. Any NTP packets arriving on nondefined interfaces or that aren’t responses from a NTP request by the PIX Firewall are dropped.

pix(config)#ntp server ip_address [key number] source if_name [prefer]
pix(config)#no ntp server ip_address

ip_address

The IP address of the NTP server with which to synchronize

number

The authentication key number (1 to 4294967295)

if_name

The interface to use to send packets to the NTP server

prefer

Designates the network time server specified as the preferred server with which to synchronize time

If authentication is enabled, use the ntp trusted-key command to define one or more key numbers the NTP server needs to provide in its NTP packets for the PIX Firewall to accept synchronization with the NTP server.

pix(config)#ntp trusted-key number
pix(config)#no ntp trusted-key number

trusted-key

Specifies the trusted key against which to authenticate

number

The authentication key number (1 to 4294967295)

Use the clear ntp command to remove all NTP configurations, including disabling authentication and removing all authentication keys and NTP server designations.

pix(config)#clear ntp

The following example demonstrates configuring the NTP features:

pix(config)#ntp authenticate
pix(config)#ntp authentication-key 9146 md5 HopeThisWorks
pix(config)#ntp trusted-key 9146
pix(config)#ntp server 192.168.4.2 key 9146 source inside prefer
pix(config)#

Verifying and Monitoring NTP Support

Use the show ntp command to display the current NTP configuration. The following output demonstrates the show ntp command:

pix(config)#show ntp
ntp authentication-key 9146 md5 ********
ntp authenticate
ntp trusted-key 9146
ntp server 192.168.4.2 key 9146 source inside prefer
pix(config)#

Use the show ntp associations [detail] command to display the configured NTP server associations. The following is a sample of the possible output from the command without and with the detail parameter.

pix(config)#show ntp associations
 address      ref clock     st when poll reach  delay offset disp
*~192.168.4.2    172.16.100.5   4  113  128 177   4.5  -0.24  125.2
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

pix(config)#show ntp associations detail
192.168.4.2 configured, our_master, sane, valid, stratum 4
ref ID 172.16.100.5, time c0212639.2ecfc9e0 (10:15:05.101 UTC Wed Nov 13 2002)
our mode client, peer mode server, our poll intvl 128, peer poll intvl 128
root delay 38.04 msec, root disp 9.55, reach 177, sync dist 156.021
delay 3.36 msec, offset -0.2119 msec, dispersion 125.21
precision 2**19, version 3
org time c02128a9.731f127b (10:15:25.313 UTC Wed Nov 13 2002)
rcv time c02128a9.73c1954b (10:15:25.317 UTC Wed Nov 13 2002)
xmt time c02128a9.6b3f729e (10:15:25.309 UTC Wed Nov 13 2002)
filtdelay =   4.47  4.58  4.97  5.63  4.79  5.52  5.87  0.00
filtoffset =  -0.24  -0.36  -0.37  0.30  -0.17  0.57  -0.74  0.00
filterror =   0.02  0.99  1.71  2.69  3.66  4.64  5.62  16000.0

Use the show ntp status command to display the NTP clock information:

pix(config)#show ntp status
Clock is synchronized, stratum 5, reference is 192.168.4.2
nominal freq is 99.9984 Hz, actual freq is 100.0266 Hz, precision is 2**6
reference time is c02128a9.73c1954b (20:29:29.452 UTC Wed Nov 13 2002)
clock offset is -0.2403 msec, root delay is 42.51 msec
root dispersion is 135.01 msec, peer dispersion is 125.21 msec

791 times read

Related news
» Checking the NTP Status
by admin posted on Jul 21,2008
» Using NTP to Send Periodic Broadcast Time Updates
by admin posted on Jul 21,2008
» NTP Authentication
by admin posted on Jul 21,2008
» NTP Server Configuration
by admin posted on Jul 21,2008
» Network Time Protocol (NTP)
by alperen posted on Sep 29,2009
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.