Cisco Firewall ACL – Configuring ACL for NTP

The reason why the port forwarding is not working with the access-list applied to the interface is quite simple.

Let's see what happens when the outside client requests the https webpage.

The destination port in the request packet is 443, while the source port is random. This request gets translated by nat at the router, then goes all the way to the server, server answers with the packet sourced from port 443 and destined to that client's random number port.

The packet in its journey back to the client gets to your router, but router wouldn't let the packet leave, because the destination port (that random port) is not specified in the access-list you have created.

And that would be the reason you are looking for.

That is all you need to get going, however it isn't an ideal configuration. I'll ignore security and local NTP architecture and focus on your current config.

The minimum recommended NTP servers is generally 3, but preferably 4. The reason for this is not only resiliency but it gives the client (your N7k) a better reference if any of the upstream servers start experiencing issues or clock drift.

With NTP, when a server is well out of sync, the client will disregard it as a valid source (even if it is a higher stratum than the others!). If you have two servers configured then how do you tell who is out of sync? The third server gives the client another point of reference that can be used to tell who is out of sync (the more the merrier, up until a certain point).

Also, I think bitsy.mit.edu is a Stratum 3 - you might be able to find a few Stratum 2 servers that are close by instead. If you have a reason for those particular servers then feel free to ignore this.

Tl;dr yes it will work.