NTP
The NTP is used to implement a hierarchical system of servers that provide a source for a
precise synchronized time among network systems. It is important to maintain a consistent
time throughout all network devices, such as servers, routers, and switches. When analyzing
network events, logs are an important source of information. Analyzing and troubleshooting
network events can be difficult if there is a time inconsistency between network devices on
the network. Furthermore, some time-sensitive operations, such as validating certificates and
certificate revocation lists (CRLs), require precise time stamps.
Cisco PIX Firewall version 6.2 and later, as well as ASA Security version 7.0, enable you
obtain the system time from NTP version 3 servers.
The syntax to enable an NTP client on the Security Appliance is as follows:
ntp server ip-address [key number] source if-name [prefer]
Table 6-13 describes the parameters of the ntp command.
Table 6-13 ntp Command Parameters
Command Parameter Description
ip-address Specifies the IP address of the time server with which the Security
Appliance synchronizes.
key This keyword indicates that you are configuring the NTP client to
use the specified authentication key (identified by number) when
sending packets to the NTP server.
number Specifies the authentication key. This value is useful when you use
multiple keys and multiple servers for identification purposes.
source Specifies the interface. If the source keyword is not specified, the
routing table is used to determine the interface.
if-name Specifies the interface name used to send packets to the NTP server.
prefer Specifies the preferred time server. This option reduces switching
back and forth between servers by making the specified server the
preferred time server.
Communication of messages between the Security Appliance and the NTP servers can be
authenticated to prevent the Security Appliance from synchronizing time with rogue NTP
servers. The three commands used to enable NTP authentication are as follows:
ntp authenticate
ntp authentication-key number md5 value
ntp trusted-key number
The ntp authenticate command enables NTP authentication and refuses synchronization
with an NTP server unless the server is configured with one of the authentication keys
specified using the ntp trusted-key command.
The ntp authentication-key command is used to define authentication keys for use with other
NTP commands to provide a higher degree of security. The number parameter is the key
number (1 to 4,294,967,295). The md5 option is the encryption algorithm. The value
parameter is the key value (an arbitrary string of up to 32 characters).
The ntp trusted-key command is used to define one or more key numbers that the NTP server
is required to provide in its NTP packets for the Security Appliance to accept synchronization
with that NTP server. The Cisco Security Appliance requires the NTP server to provide this
key number in its NTP packets, which provides protection against synchronizing the Security
Appliance system clock with an NTP server that is not trusted.
NTP configuration on the Security Appliance can be verified and viewed by using the
following show commands:
■ The show ntp command displays the current NTP configuration.
■ The show ntp associations [detail] command displays the configured network time server
associations.
■ The show ntp status command displays the NTP clock information.
To remove the NTP configuration, use the clear ntp command.