Ntp authenticate ntp authentication-key 1 md5 trusted-key 1 Ntp server 10.0.0.5 key 1 source inside prefer ntp server 192.43.244.18 source outside The CLI commands generated by the changes made are as follows: clock set 21:24:37 NOV 1 2010Ĭlock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60 If another server is significantly more accurate than the preferred server, however, the ASA uses the more accurate one. The atomic clock at NIST, for instance, is considered stratum 0.) If several servers have similar accuracy, the preferred server is used. (A stratum number indicates the distance from the reference clock, so a lower stratum number implies that a server is more reliable than others with a higher stratum number. The security appliance will choose the NTP server with the lowest stratum number and synchronize to that server. Setting a server as preferred does not guarantee that the ASA will accept the time advertised by such a server. However, in the unlikely event of an extended period of unavailability of any configured NTP servers, the local clock can serve as a fallback mechanism for maintaining time on the security appliance. Time derived from an NTP server overrides any time set manually in the Clock pane. Thus, the addition of this server is for example purposes only. Note also that, because NTP Authentication is enabled on this ASA, time would not currently be accepted from the server, because it is not configured for authenticated NTP messaging. Using an NTP server reachable through the outside interface, and not using authentication, is inherently subject to potential compromise, so it should be done only as a backup to an internal NTP server, if available. Define the IP address of the new NTP time source, the ASA interface through which this NTP server can be reached, and any information relevant to the use of authenticated NTP communication.įigure 6-3 Configuring Multiple NTP Servers To define a new NTP time source, click Add to open the Add NTP Server Configuration dialog box, shown in Figure 6-2. To do so, navigate to Configuration > Device Setup > System Time > NTP.
Of course, to ensure precise synchronization of the ASA's clock to the rest of your network, you should configure the ASA to obtain time information from a trusted NTP server. The configured time is retained in memory when the power is off, by a battery on the security appliance motherboard. Click Apply to complete the setting of the internal clock.
The current time updates automatically every ten seconds.
#Virtual timeclock server keys update
Optionally, you can click the Update Displayed Time button to update the time shown in the bottom-right corner of the Cisco ASDM status bar. Time is set as hours, minutes, and seconds, in 24-hour format. You can then set the date and time accordingly. If you prefer to set the clock using your local time zone, choose that time zone from the drop-down list before you enter a new date and time ( Figure 6-1 shows the North American Central Time Zone being selected). If you want to set the clock to UTC time, simply enter a new date and time, as UTC is the default time zone. To set the time locally on the ASA (that is, not using Network Time Protocol ), first navigate to Configuration > Device Setup > System Time > Clock to display the Clock settings window, shown in Figure 6-1. Even if you set local time zone information, the ASA internally tracks time as UTC, so if it is interacting with hosts in other time zones (which is fairly common when using digital certificates for VPN connectivity, for example), they have a common frame of reference. The default ASA time is set to UTC (Coordinated Universal Time), but you can add local time zone information so that the time displayed by the ASA is more relevant to those who are viewing it. Whether you are sending messages to a syslog server, sending messages to an SNMP monitoring station, or performing packet captures, time stamps have little usefulness if you cannot be certain of their accuracy.
Having a correct time set is also important when logging information with the timestamp option. Possibly the most important reason is that digital certificates compare this time to the range defined by their Valid From and Valid To fields to define a specific validity period. Having a correct time set on a Cisco ASA is important for a number of reasons.
0 kommentar(er)
