Wireless Access

Reply
paw
Contributor I
Posts: 32
Registered: ‎09-13-2011

NTP source address

Hey!

 

the WIFI controller sits in the DMZ and got one leg in the MZ. The controller IP is one of the MZ range. But now I want to use a NTP server in the DMZ. As far as I understand the controller uses its controller ip for the NTP lookup in the DMZ. This cant work.

 

Now I cannot change the source interface of the NTP client on the controller, correct? My idea is to use a NAT rule, but maybe there is a nicer way to do what I want?

 

  remote                                  local                                    st   poll   reach    delay     offset      disp
=========================================================================================================================================
=192.168.0.1                            8.8.8.8                              16 1024       0    0.00000     0.000000    3.99217
MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: NTP source address

They way you are thinking of doing it , is the best way .

Unfortunately you can;t change the source IP address it will use the address defined here : "show controller-ip"
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
paw
Contributor I
Posts: 32
Registered: ‎09-13-2011

Re: NTP source address

Hmm in a production enviroment... :-) Just to make sure, is that correct what I'm planning?

 

I make a net pool just for the ip of my DMZ Interface

ip nat pool NATPool_DMZ2 192.168.0.5 192.168.0.5

Then I create a policy

ip access-list session "SNAT_NTP-access"
alias "controller" host 192.168.120.2 "svc-ntp" src-nat pool "NATPool_DMZ2" position 1 queue low
any any any permit position 2 queue low
!

But I also need to allow all other traffic coming from and going to the controller, like it was before. Correct?

ip access-list session "SNAT_NTP-access"
alias "controller" host 192.168.120.2 "svc-ntp" src-nat pool "DREGER_NATPool_DMZ2" position 1 queue low
any any any permit position 2 queue low
!

Until here I'm already unsure, but now I have to assign this rule to a port. But what do I choose?

interface gigabitethernet 1/8
      ip access-group "SNAT_NTP-access" session vlan 120
      ip access-group "SNAT_NTP-access" session
      !

Thanks for your help.

 

Greets

 

MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: NTP source address

I recommend you do this during a maintenance window .

The last part the only thing I would remove is this
ip access-group "SNAT_NTP-access" session vlan 120
Everything else looks good.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: