The Cisco ASA appliance retains clock settings in memory via a battery on the device motherboard. Even if the device is turned off, the clock is retained in memory.
Configuring accurate time settings on the appliance is important for logging purposes since syslog messages can contain a time stamp according to the device clock time setting.
If you want the syslog messages to include a time-stamp value, you must first configure the clock (using clock set command) and then enable time-stamps using logging timestamp command (more on syslog configuration in later sections).
Having a time-stamp value on log messages is important for event tracing and forensic purposes when a security incident occurs.
Another important reason for setting the correct time on the ASA firewall is when you use PKI (Public Key Infrastructure) with digital certificates for authentication of IPSEC VPN peers.
The ASA firewall uses the local appliance clock to make sure that a Digital Certificate is not expired. When using PKI digital certificates, set the firewall clock to UTC time zone.
Cisco ASA NTP Configuration
Configure Clock Settings:
To configure the clock settings of the ASA appliance, use the clock set command as shown below:
ciscoasa# clock set hh:mm:ss [day month | month day] year
Example:
ciscoasa# clock set 18:30:00 Apr 10 2009
To verify the correct clock on the appliance, use the show clock command.
Configure Time Zone and Daylight Saving Time:
To configure the time zone and the summer daylight saving time use the commands below:
ciscoasa# config t
ciscoasa(config)# clock timezone [zone name] [offset hours from UTC]
ciscoasa(config)# clock summer-time [zone name] recurring [week weekday month hh:mm week weekday month hh:mm] [offset]
Example:
ciscoasa(config)# clock timezone MST -7
ciscoasa(config)# clock summer-time MST recurring 1 Sunday April 2:00 last Sunday October 2:00
Configure Network Time Protocol (NTP):
If there is an NTP server in the network that provides accurate clock settings, then you can configure the firewall to synchronize its time with the NTP server. Both an authenticated and non-authenticated NTP is supported:
Non-Authenticated NTP:
ciscoasa(config)# ntp server [ip address of NTP] source [interface name]
Example:
ciscoasa(config)# ntp server 10.1.23.45 source inside
Authenticated NTP:
ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key [key ID] md5 [ntp key]
ciscoasa(config)# ntp trusted-key [key ID]
ciscoasa(config)# ntp server [ip address of NTP] key [key ID] source [intf name]
Example:
ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key 32 md5 secretkey1234
ciscoasa(config)# ntp trusted-key 32
ciscoasa(config)# ntp server 10.1.2.3 key 32 source inside
Importance of NTP
In the networking and IT world in general, having accurate time settings on all the devices of the network is of paramount importance.
This is especially true in the security realm. If you want to investigate a security breach or you want to take legal actions against a hacker or an employee who leaked corporate data to a competitor, then having logs with correct timestamps is very important.
You can retain correct time settings on all of your network and IT devices using several ways. Some companies use the internal Active Directory server (which is already synchronized to an accurate external NTP server) in order to provide time settings to all internal IT assets.
In public telecommunication networks (mobile 4G, fixed telephony etc) where time settings must be accurate in the range of milliseconds (or even smaller), atomic clocks are used for syncing the time.
There are several external NTP servers available which you can use to synchronize your ASA devices (or any network equipment), such as pool.ntp.org
, NIST Servers (https://tf.nist.gov/tf-cgi/servers.cgi
) etc.
NTP Protocol Port
If you want to allow the NTP protocol through your firewalls, you must open port UDP 123.
Related Posts
- Prevent Spoofing Attacks on Cisco ASA using RPF
- Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
- Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
- Cisco ASA Firewall Management Interface Configuration (with Example)
- How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)