Home > Articles > Cisco Network Technology > General Networking > Cisco Firewall Configuration Fundamentals

Cisco Firewall Configuration Fundamentals

Chapter Description

This chapter describes the configuration fundamentals for IOS and ASA-based firewalls, highlighting the similarities between the product families.

From the Book

Cisco Firewalls

Cisco Firewalls


Clock Synchronization Using NTP

Ensuring that consistent time information be distributed throughout the network is an important accomplishment. Correct timing not only makes event logs and management data more meaningful, but also brings the possibility of using accounting records for auditing tasks and enabling features (such as time-based ACLs) on specific periods.

The clock on a Cisco device might be set up manually using the clock set exec-level command. Nonetheless the recommended method for time synchronization is through the use of the NTP.

Because of the potential adverse effects that incorrect time information might have on network availability and manageability, it is advisable that network and security administrators do whatever they can to guarantee that only authorized synchronization sources are used. Although NTP supports both plain-text and hash-based (MD5) authentication options, the MD5 method is doubtlessly the preferred one.

Figure 3-8 depicts the reference topology for the analysis of NTP operation using MD5 Authentication. Example 3-26 assembles the configuration commands of an IOS NTP Server that was employed to synchronize a set of NTP clients. For a better understanding of this scenario, you should pay attention to the following details:

  • NTP clients authenticate packets received from servers. This is reflected in that the ntp authenticate command is configured only on the client side.
  • The ntp trusted-key command is necessary to activate a key configured with the ntp authentication-key command.
Figure 3-8

Figure 3-8 Reference Topology for NTP Analysis

Example 3-27 illustrates a classic client-side debug. It also shows how to verify the synchronization status on a certain device and the details associated with the source of clock data. (The commands used in this example are equally valid for ASA and IOS.)

Example 3-26. NTP Baseline Configuration

! NTP Server Configuration on IOS
ntp master 4
ntp authentication-key 1 md5 *****
ntp peer key 1
ntp peer key 1
ntp peer key 1
! NTP configuration on ASA (server is reachable through logical interface "mgmt")
ASA1# show running-config ntp
ntp authentication-key 1 md5 *****
ntp authenticate
ntp trusted-key 1
ntp server key 1 source mgmt
! NTP Configuration on IOS (including Catalyst 6500)
CAT6500B# show running-config | include ntp
ntp authentication-key 1 md5 *****
ntp authenticate
ntp trusted-key 1
ntp source Vlan1100
ntp server key 1

Example 3-27. NTP Operation

! A typical debug on the client side (valid for IOS and ASA)
rcv packet from  to on Vlan1100:
leap 0, mode 4, version 3, stratum 4, ppoll 64
rtdel 0000 (0.000), rtdsp 0002 (0.031), refid 7F7F0701 (
 ref CEAFDBC4.50C27B03 (11:59:16.315 BRT Thu Nov  19 2009)
 org CEAFCD40.7E7F03DF (10:57:20.494 BRT Thu Nov  19 2009)
 rec CEAFDBD2.6C4177F8 (11:59:30.422 BRT Thu Nov  19 2009)
 xmt CEAFDBD2.6C54908E (11:59:30.423 BRT Thu Nov  19 2009)
 inp CEAFCD40.7F0D7366 (10:57:20.496 BRT Thu Nov  19 2009)
 NTP: synced to new peer
! Verifying if the clock is already synchronized (valid for IOS and ASA)
ASA1# show ntp status

Clock is synchronized, stratum 5, reference is
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is ceafcf15.f87ff739 (11:05:09.970 BRT Thu Nov  19 2009)
clock offset is -31.4958 msec, root delay is 36.30 msec
root dispersion is 1923.63 msec, peer dispersion is 1892.09 msec
! Verifying the source of timing information (valid for IOS and ASA)
ASA1# show clock detail
11:05:46.460 BRT Thu Nov 19 2009
Time source is NTP

Example 3-28 documents that FWSM receives its timing information from the Catalyst 6500 chassis. If the underlying 6500 is synchronized through NTP, FWSM displays NTP as its time source.

Example 3-28. Specific Considerations for the FWSM

! Time information obtained from the Catalyst chassis (which uses NTP)
FWSM2# show clock  detail
12:42:56.570 BRT Thu Nov 19 2009
Time source is NTP
! There is no NTP option on the FWSM CLI
FWSM2# show ntp ?
ERROR: % Unrecognized command
FWSM2(config)#ntp ?
ERROR: % Unrecognized command
8. Obtaining an IP Address Through the PPPoE Client | Next Section Previous Section