PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH

Operations
Instructor Version
Topology Diagram
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway Switc Port
R1 FA!1 1"#$1%&$1$1 #''$#''$#''$ N!A S1 FA!'
S!! ()C*+ 1$1$1$1 #''$#''$#''$#'# N!A N!A
R# S!! 1$1$1$# #''$#''$#''$#'# N!A N!A
S!!1 ()C*+ 1$#$#$# #''$#''$#''$#'# N!A N!A
R, FA!1 1"#$1%&$,$1 #''$#''$#''$ N!A S, FA!'
S!!1 1$#$#$1 #''$#''$#''$#'# N!A N!A
PC-A N.C 1"#$1%&$1$' #''$#''$#''$ 1"#$1%&$1$1 S1 FA!%
PC-/ N.C 1"#$1%&$1$% #''$#''$#''$ 1"#$1%&$1$1 S# FA!1&
PC-C N.C 1"#$1%&$,$' #''$#''$#''$ 1"#$1%&$,$1 S, FA!%
All contents are Copyrig0t 1 1""#2#1 Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$ Page 1 of '
CCNA Security
!earning "b#ectives
Configure routers as NTP clients$
Configure routers to update t0e 0ard5are cloc6 using NTP$
Configure routers to log 3essages to t0e syslog server$
Configure routers to ti3esta3p log 3essages$
Configure local users$
Configure 7T8 lines to accept SSH connections only$
Configure RSA 6ey pair on SSH server$
7erify SSH connectivity fro3 PC client and router client$
Introduction
T0e net5or6 topology s0o5s t0ree routers$ 8ou 5ill configure NTP and Syslog on all routers$ 8ou 5ill configure
SSH on R,$
Net5or6 Ti3e Protocol (NTP+ allo5s routers on t0e net5or6 to sync0roni9e t0eir ti3e settings 5it0 an NTP
server$ A group of NTP clients t0at o4tain ti3e and date infor3ation fro3 a single source 0ave 3ore consistent
ti3e settings and Syslog 3essages generated can 4e analy9ed 3ore easily$ T0is can 0elp 50en
trou4les0ooting issues 5it0 net5or6 pro4le3s and attac6s$ :0en NTP is i3ple3ented in t0e net5or6, it can 4e
set up to sync0roni9e to a private 3aster cloc6, or to a pu4licly availa4le NTP server on t0e .nternet$
T0e NTP Server is t0e 3aster NTP server in t0is la4$ 8ou 5ill configure t0e routers to allo5 t0e soft5are cloc6
to 4e sync0roni9ed 4y NTP to t0e ti3e server$ Also, you 5ill configure t0e routers to periodically update t0e
0ard5are cloc6 5it0 t0e ti3e learned fro3 NTP$ Ot0er5ise, t0e 0ard5are cloc6 5ill tend to gradually lose or
gain ti3e (drift+ and t0e soft5are cloc6 and 0ard5are cloc6 3ay 4eco3e out of sync0roni9ation 5it0 eac0 ot0er$
T0e Syslog Server 5ill provide 3essage logging in t0is la4$ 8ou 5ill configure t0e routers to identify t0e re3ote
0ost (Syslog server+ t0at 5ill receive logging 3essages$
8ou 5ill need to configure ti3esta3p service for logging on t0e routers$ )isplaying t0e correct ti3e and date in
Syslog 3essages is vital 50en using Syslog to 3onitor a net5or6$ .f t0e correct ti3e and date of a 3essage is
not 6no5n, it can 4e difficult to deter3ine 50at net5or6 event caused t0e 3essage$
R# is an .SP connected to t5o re3ote net5or6s: R1 and R,$ T0e local ad3inistrator at R, can perfor3 3ost
router configurations and trou4les0ooting; 0o5ever, since R, is a 3anaged router, t0e .SP needs access to R,
for occasional trou4les0ooting or updates$ To provide t0is access in a secure 3anner, t0e ad3inistrators 0ave
agreed to use Secure S0ell (SSH+$
8ou use t0e C<. to configure t0e router to 4e 3anaged securely using SSH instead of Telnet$ SSH is a net5or6
protocol t0at esta4lis0es a secure ter3inal e3ulation connection to a router or ot0er net5or6ing device$ SSH
encrypts all infor3ation t0at passes over t0e net5or6 lin6 and provides aut0entication of t0e re3ote co3puter$
SSH is rapidly replacing Telnet as t0e re3ote login tool of c0oice for net5or6 professionals$
T0e servers 0ave 4een pre-configured for NTP and Syslog services respectively$ NTP 5ill not re=uire
aut0entication$ T0e routers 0ave 4een pre-configured 5it0 t0e follo5ing:
*na4le pass5ord: ciscoenpa$$
Pass5ord for vty lines: ciscovtypa$$
Static routing
All contents are Copyrig0t 1 1""#2#1 Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$ Page # of '
CCNA Security
Task %& 'onfigure routers as (TP 'lients)
Step 1. Test Connectivity
Ping fro3 PC-C to R,$
Ping fro3 R# to R,$
Telnet fro3 PC-C to R,$ *>it t0e Telnet session$
Telnet fro3 R# to R,$ *>it t0e Telnet session$
Step 2. Configure R1, R2 and R3 as NTP clients.
R1(config)# ntp server 192.168.1.5
R2(config)# ntp server 192.168.1.5
R3(config)# ntp server 192.168.1.5
7erify client configuration using t0e co33and sow ntp status$
Step 3. Configure routers to update hardware cloc.
Configure R1, R# and R, to periodically update t0e 0ard5are cloc6 5it0 t0e ti3e learned fro3 NTP$
R1(config)# ntp update-calendar
R2(config)# ntp update-calendar
R3(config)# ntp update-calendar
7erify t0at t0e 0ard5are cloc6 5as updated using t0e co33and sow clock$
Step !. Configure routers to ti"esta"p log "essages.
'onfigure ti3esta3p service for logging on t0e routers$
R1(config)# service timestamps log datetime msec
R2(config)# service timestamps log datetime msec
R3(config)# service timestamps log datetime msec
Penjelasan : setiap ada kejadian di tiap router, maka catatan log akan
tersimpan sampai milisec.
Task *& 'onfigure routers to log messages to te Syslog Server)
Step #. Configure the routers to identify the re"ote host $Syslog Server% that will receive logging
"essages.
R1(config)# logging host 192.168.1.6
R2(config)# logging host 192.168.1.6
R3(config)# logging host 192.168.1.6
T0e router console 5ill display a 3essage t0at logging 0as started$
Step &. 'erify logging configuration using the co""and show logging.
Step (. )*a"ine logs of the Syslog server.
Fro3 t0e 'onfig ta4 of t0e Syslog server?s dialogue 4o>, select t0e Syslog services 4utton$ O4serve t0e
logging 3essages received fro3 t0e routers$
(ote& <og 3essages can 4e generated on t0e server 4y e>ecuting co33ands on t0e router$ For e>a3ple,
entering and e>iting glo4al configuration 3ode 5ill generate an infor3ational configuration 3essage$
All contents are Copyrig0t 1 1""#2#1 Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$ Page , of '
CCNA Security
Task +& 'onfigure ,+ to support SS- connections)
Step +. Configure a do"ain na"e.
Configure a do3ain na3e of ccnasecurity)com on R,$
R3(config)# ip domain-name ccnasecurity.com
Step ,. Configure users for login fro" the SS- client on R3.
Create a user .) of SS-admin 5it0 t0e 0ig0est possi4le privilege level and a secret pass5ord of
ciscosspa$$$
R3(config)# username SSHadmin privilege 15 secret ciscosshpa55
Penjelasan : membuat user ID dengan aksesibilitas tertinggi
Step 1.. Configure the inco"ing 'T/ lines on R3.
@se t0e local user accounts for 3andatory login and validation$ Accept only SSH connections$
R3(config)# line vty 0 4
R3(config-line)# login local
R3(config-line)# transport input ssh
Penjelasan : membatasi hanya koneksi SSH saja yg bisa lewat
Step 11. )rase e*isting ey pairs on R3.
Any e>isting RSA 6ey pairs s0ould 4e erased on t0e router$
R3(config)#crypto ey !eroi!e rsa
Penjelasan : menghapus RS key
(ote& .f no 6eys e>ist, you 3ig0t receive t0is 3essage: % No Signature RSA Keys found in
configuration$
Step 12. 0enerate the RS1 encryption ey pair for R3.
T0e router uses t0e RSA 6ey pair for aut0entication and encryption of trans3itted SSH data$ Configure t0e RSA
6eys 5it0 a 3odulus of %.*/$ T0e default is '1#, and t0e range is fro3 ,% to #A&$
R3(config)# crypto ey generate rsa ["nter]
!e na"e for t!e #eys $ill %e& R3'ccnasecurity'co"
(!oose t!e si)e of t!e #ey "odulus in t!e range of 3*+ to 2+,- for your
.eneral /ur0ose Keys' (!oosing a #ey "odulus greater t!an 112 "ay ta#e
a fe$ "inutes'
2o$ "any %its in t!e "odulus [112]&1024
% .enerating 1+2, %it RSA #eys3 #eys $ill %e non-e40orta%le'''[5K]
(ote& T0e co33and to generate RSA encryption 6ey pairs for R, in Pac6et Tracer differs fro3 t0ose used in
t0e la4$
Step 13. 'erify the SS- configuration.
@se t0e sho# ip ssh co33and to see t0e current settings$ 7erify t0at t0e aut0entication ti3eout and retries
are at t0eir default values of 1# and ,$
All contents are Copyrig0t 1 1""#2#1 Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$ Page A of '
CCNA Security
Step 1!. Configure SS- ti"eouts and authentication para"eters.
T0e default SSH ti3eouts and aut0entication para3eters can 4e altered to 4e 3ore restrictive$ Set t0e ti3eout
to 0. seconds, t0e nu34er of aut0entication retries to *, and t0e version to *$
R3(config)# ip ssh time-out 90
R3(config)# ip ssh authentication-retries 2
R3(config)# ip ssh version 2
Penjelasan : SSH menunggu hingga 90 detik, jika lewat akan keluar otomatis. Dan jika salah password
hingga 2x maka akan keluar otomatis pula (erlaku untuk !"#
.ssue t0e sho# ip ssh co33and again to confir3 t0at t0e values 0ave 4een c0anged$
Step 1#. 1tte"pt to connect to R3 via Telnet fro" PC2C.
Open t0e )es6top of PC-C$ Select t0e Co33and Pro3pt icon$ Fro3 PC-C, enter t0e co33and to connect to
R, via Telnet$
/(6 telnet 192.168.$.1
T0is connection s0ould fail, since R, 0as 4een configured to accept only SSH connections on t0e virtual
ter3inal lines$
Step 1&. Connect to R3 using SS- on PC2C.
Open t0e )es6top of PC-C$ Select t0e Co33and Pro3pt icon$ Fro3 PC-C, enter t0e co33and to connect to
R, via SSH$ :0en pro3pted for t0e pass5ord, enter t0e pass5ord configured for t0e ad3inistrator
ciscosspa$$$
/(6 ssh %l SSHadmin 192.168.$.1
Step 1(. Connect to R3 using SS- on R2.
.n order to trou4les0oot and 3aintain t0e R, router, t0e ad3inistrator at t0e .SP 3ust use SSH to access t0e
router C<.$ Fro3 t0e C<. of R#, enter t0e co33and to connect to R, via SSH version # using t0e SSHad3in
user account$ :0en pro3pted for t0e pass5ord, enter t0e pass5ord configured for t0e ad3inistrator:
ciscosspa$$$
R2# ssh %v 2 %l SSHadmin 10.2.2.1
Step 1+. Chec results.
8our co3pletion percentage s0ould 4e 1B$ Clic6 'eck ,esults to see feed4ac6 and verification of 50ic0
re=uired co3ponents 0ave 4een co3pleted$
All contents are Copyrig0t 1 1""#2#1 Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$ Page ' of '