Wednesday, June 4, 2008

NTP for your ASA

by Mark Lambiase MultiFactor Corp

Accurate time on your systems is not just something that is ‘nice to have’, but should be a priority to any network, system or security administrator. First of all, log analysis can be very difficult if the clocks are off. Especially if you have to trace sessions across multiple devices or servers. A busy firewall can generate many Megs of firewall log in a single day, and if you are correlating across multiple devices even discrepancies only in the range of seconds can make correlation very difficult.

VPNs can add a new twist to the value of the accuracy of the system clock, especially when certificates are involved. A clock that is fast may consider a newly issued certificate invalid, and a clock that is slow can consider a certificate expired before its time.

Network Time Protocol is the easy answer, and setting it upon the ASA either through the ASDM or from the CLI is easy. First, you will have to decide on the source for your time services. Time is served on the Internet by many sites, some of which are government owned systems, such as NIST and the U.S. Naval Observatory, others are run by universities and yet others are run by companies, networks and non-profits providing a free service to the Internet community.

Since network time servers are served on, well, the network, there are capacity and resource issues. One of the reasons that there are so many servers on the Internet is to make sure that a) there is capacity, and b) so that multiple sources can be checked against, so that the most accurate time can be derived. Additionally, a distinction is made between the time sources on the Internet as ‘Stratum 1’ and ‘Stratum 2’. Stratum 1 sources are usually attached to some master time source like an atomic clock, and stratum 2 sources derive their time from a collection of stratum 1 sources. The master source for stratum 1 sources, such as an atomic clock, are refered to as a stratum 0 source.

To be polite the network community should make use of stratum 2 sources. To find those stratum 2 sources there are a number of resources available on the Internet. One source of information is They have set up a neat system where a number of sources are pooled using DNS round-robin, but the ASA will not take a host-name in the ntp server command, and you will have to look up the IP addresses to configure the ASA.

There are other options, as well. Cisco routers can be configured to not only act as NTP clients, but they can be NTP servers. In this way your border routers can set their clocks from Internet sources, and your internal switches, routers, and your firewalls could set their time from your own sources. Additionally, your internal systems can then set theirclocks from your own sources, and you will not have to pass hundreds of NTP requests across your Internet link unnecessarily.

Configuring NTP via ASDM

NTP is configured on the Configuration > Device Setup > System Time > NTP page in ASDM, and can be as simple as just enteringthe IP address of the server that you are going to synchronize with. Multiple servers can be added, and are recommended. The ASA will query each, track the responses from each over a period of time, compare the results and make changesto the system clock.

There are a few options here that are not always necessary,especially on public time servers. These options have to do with securing the timeservice. After all, if someone can attack your clocks they could mess up your logs, or cause a denial of service to certificate authenticated services. Authentication is available. The time server will have a key, and you will create a key number and associate a key value. The same key, once created, can be assigned for use with multiple servers. This makes it somewhat easier to set up authenticated NTP on an internal network, as you can set up the routers on your internal network to serve time and require the same key.

Configuring NTP from the CLI

Configuring NTP from the command line can be as simple as:

ASA(config)# NTPserver

You should pick a couple of time sources for your ASA to synchronize with and add each to your config.

If you are going to set up NTP authentication on your network, or you happen to want to use an NTP server on the Internet that requires authentication you must enable NTP authentication first, and set up keys. Cisco has a good article on setting up NTP and NTP authentication at

Checking Your Settings

Once you have NTP configured on your ASA you will want to beable to check your settings, and see if the ASA is actually synchronizing.

There are 3 basic commands:

ASA(config)# show running-config ntp

ASA(config)# show ntp associations

ASA(config)# show ntp status

Additionally, you may want to review your other clock settings:

ASA(config)# showrunning-config clock

Copyright 2008. MultiFactor Corporation. All Rights Reserved.
SEO Services & Blog Design by