Networks Training

You are here: Home / Cisco ASA Firewall Configuration / Cisco ASA NTP and Clock Configuration with Examples

Cisco ASA NTP and Clock Configuration with Examples

Written By

The Cisco ASA appliance retains clock settings in memory via a battery on the device motherboard. Even if the device is turned off, the clock is retained in memory.

cisco asa ntp config

Configuring accurate time settings on the appliance is important for logging purposes since syslog messages can contain a time stamp according to the device clock time setting.

If you want the syslog messages to include a time-stamp value, you must first configure the clock (using clock set command) and then enable time-stamps using logging timestamp command (more on syslog configuration in later sections).

Having a time-stamp value on log messages is important for event tracing and forensic purposes when a security incident occurs.

Another important reason for setting the correct time on the ASA firewall is when you use PKI (Public Key Infrastructure) with digital certificates for authentication of IPSEC VPN peers.

The ASA firewall uses the local appliance clock to make sure that a Digital Certificate is not expired. When using PKI digital certificates, set the firewall clock to UTC time zone.

Cisco ASA NTP Configuration

Configure Clock Settings:

To configure the clock settings of the ASA appliance, use the clock set command as shown below:

MORE READING:  How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)

ciscoasa# clock set hh:mm:ss [day month | month day] year

Example:

ciscoasa# clock set 18:30:00 Apr 10 2009

To verify the correct clock on the appliance, use the show clock command.

Configure Time Zone and Daylight Saving Time:

To configure the time zone and the summer daylight saving time use the commands below:

ciscoasa# config t
ciscoasa(config)# clock timezone [zone name] [offset hours from UTC]
ciscoasa(config)# clock summer-time [zone name] recurring [week weekday month hh:mm week weekday month hh:mm] [offset]

Example:

ciscoasa(config)# clock timezone MST -7
ciscoasa(config)# clock summer-time MST recurring 1 Sunday April 2:00 last Sunday October 2:00

Configure Network Time Protocol (NTP):

If there is an NTP server in the network that provides accurate clock settings, then you can configure the firewall to synchronize its time with the NTP server. Both an authenticated and non-authenticated NTP is supported:

Non-Authenticated NTP:

ciscoasa(config)# ntp server [ip address of NTP] source [interface name]

Example:

ciscoasa(config)# ntp server 10.1.23.45 source inside

Authenticated NTP:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key [key ID] md5 [ntp key]
ciscoasa(config)# ntp trusted-key [key ID]
ciscoasa(config)# ntp server [ip address of NTP] key [key ID] source [intf name]

Example:

MORE READING:  Cisco Router with Cisco ASA for Internet Access

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key 32 md5 secretkey1234
ciscoasa(config)# ntp trusted-key 32
ciscoasa(config)# ntp server 10.1.2.3 key 32 source inside

Importance of NTP

In the networking and IT world in general, having accurate time settings on all the devices of the network is of paramount importance.

This is especially true in the security realm. If you want to investigate a security breach or you want to take legal actions against a hacker or an employee who leaked corporate data to a competitor, then having logs with correct timestamps is very important.

You can retain correct time settings on all of your network and IT devices using several ways. Some companies use the internal Active Directory server (which is already synchronized to an accurate external NTP server) in order to provide time settings to all internal IT assets.

In public telecommunication networks (mobile 4G, fixed telephony etc) where time settings must be accurate in the range of milliseconds (or even smaller), atomic clocks are used for syncing the time. 

There are several external NTP servers available which you can use to synchronize your ASA devices (or any network equipment), such as pool.ntp.org, NIST Servers (https://tf.nist.gov/tf-cgi/servers.cgi) etc.

NTP Protocol Port

If you want to allow the NTP protocol through your firewalls, you must open port UDP 123.

Related Posts

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Smash102 says

    I have the NTP set up in my 5505 so that it can update as a client, But getting the server part established is giving me some issues. I have multiple subnets and am using several ports. Also since the IP addresss being assigned as an NTP server on the ASA isn’t an actual machine, do you have ideas on weather an exempt NAT or ACL is needed?

    One would think that the Cisco engineers would have it so the ASA could take into account if your setting it up as a NTP server to permit those requests from accociated interfaces.

  2. BlogAdmin says

    As far as I know, you don’t need to configure any nat exemption or ACL. What is your exact configuration on the ASA ?

  3. Peter Clowes says

    I’m getting clock is unsynchronized, stratum 16, no reference clock. The NTP server is external to my network. I entered ntp server x.x.x.x (public IP) source Outside. I have a similar question do I need an ACL?
    How long should it take to synchronize? I set the clock manually so that it was close to the time it would get from the server

  4. Harris Andrea says

    Peter,

    First of all, test the public NTP that is working fine. Here is a windows command you can use:

    w32tm /monitor /computers:time.nist.gov

    (In place of time.nist.gov you can put the NTP server you are using).

    Also, make sure the external NTP does not require authentication.

    Normally you won’t require an ACL for this. To be sure though you can place an ACL on outside (in the “out” direction) to allow NTP traffic and test again.

    Harris

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx