To apply vpn filter we have to create acl for ntp. I did the same thing for capture on ASA. but i did not get any thing.
Regards, Parvez On Sun, Sep 25, 2011 at 12:56 AM, Fawad Khan <[email protected]> wrote: > Ntp server needs to have route to the outside interface of ASA2. It seems > that you can see the traffic till the outside interface of ASA1. Is NTP > server part of the crypto acl on ASA1 and ASA2. If you have not enabled > sysopt permit vpn command then you need to add a proper vpn filter for the > reverse traffic i.e. traffic from NTP servers to ASA2. > > > Regards, > FNK. > > On Fri, Sep 23, 2011 at 7:10 AM, Piotr Matusiak <[email protected]> wrote: > >> You can enable logging and check if it goes out and why it is dropped: >> >> logging buffered 7 >> logg on >> >> show logg will reveal all the info. >> >> Regards, >> Piotr >> >> >> 2011/9/23 parvez ahmad <[email protected]> >> >>> >>> Hi Piotr, >>>> >>> >>> IPsec phase 2 is working fine packets are encrypting and decrypting >>> for 10.50.0.0 subnet. Crypto ACLs are mirror. >>> >>> Is there any way to check where the packet is dropping. Except this >>> site all remote site are synchronized with ntp server. >>> >>> Regards, >>> Parvez >>> >>> >>> >>> >>>> ------------------------------ >>>> >>>> Message: 4 >>>> Date: Thu, 22 Sep 2011 15:53:21 +0200 >>>> From: Piotr Matusiak <[email protected]> >>>> To: parvez ahmad <[email protected]> >>>> Cc: [email protected] >>>> Subject: Re: [OSL | CCIE_Security] NTP Authentication on ASA >>>> Message-ID: >>>> < >>>> cahlkuyq45cdmmjzdofwkpjo4y2svfqgf9q0gyxxjdjnjt9u...@mail.gmail.com> >>>> Content-Type: text/plain; charset="iso-8859-1" >>>> >>>> Do you have routing and Crypto_ACL configured correctly? When the remote >>>> ASA >>>> tries to sync with NTP server it sources the traffic from the outside - >>>> do >>>> you have this in crypto_acl? >>>> >>>> Regards, >>>> Piotr >>>> >>>> >>>> 2011/9/22 parvez ahmad <[email protected]> >>>> >>>> > Hi All >>>> > >>>> > Topology is >>>> > >>>> > NTP >>>> > >>>> Server------(inside)ASA1(outside)-----------Internet---------(Outside)ASA2(inside)----------Lan >>>> > >>>> > ASA1 and ASA2 are connected through site to site VPN. Phase1 and >>>> Phase2 are >>>> > working fine. >>>> > >>>> > but ASA1 is synchronized with NTP Server but ASA2 is not. >>>> > >>>> > I checked with NTP Debug , we are getting Xmit packet but not >>>> reciveing >>>> > packet. >>>> > >>>> > even configuration and NTP authentication key are same. On ASA1 Server >>>> > inside in command and ASA2 server outside. >>>> > >>>> > What the we need to check for Synchronizing ASA2 with NTP server. >>>> > >>>> > >>>> > Regards, >>>> > Parvez >>>> > >>>> > -- >>>> > Parvez Ahmad >>>> > >>>> > >>>> > _______________________________________________ >>>> > For more information regarding industry leading CCIE Lab training, >>>> please >>>> > visit www.ipexpert.com >>>> > >>>> > Are you a CCNP or CCIE and looking for a job? Check out >>>> > www.PlatinumPlacement.com >>>> > >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: >>>> </archives/ccie_security/attachments/20110922/eff37755/attachment-0001.html> >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > -- Parvez Ahmad
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
