PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Instructor Version Topology Diagram

Addressing Table
Device R1 R# R, PC-A PC-/ PC-C Interface FA !1 S ! ! ()C*+ S ! ! S ! !1 ()C*+ FA !1 S ! !1 N.C N.C N.C IP Address 1"#$1%&$1$1 1 $1$1$1 1 $1$1$# 1 $#$#$# 1"#$1%&$,$1 1 $#$#$1 1"#$1%&$1$' 1"#$1%&$1$% 1"#$1%&$,$' Subnet Mask #''$#''$#''$ #''$#''$#''$#'# #''$#''$#''$#'# #''$#''$#''$#'# #''$#''$#''$ #''$#''$#''$#'# #''$#''$#''$ #''$#''$#''$ #''$#''$#''$ Default Gateway N!A N!A N!A N!A N!A N!A 1"#$1%&$1$1 1"#$1%&$1$1 1"#$1%&$,$1 Switc Port S1 FA N!A N!A N!A S, FA N!A S1 FA S# FA S, FA !'

!' !% !1& !%

All contents are Copyrig0t 1 1""#2#

" Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$

Page 1 of '

CCNA Security

!earning "b#ectives
Configure routers as NTP clients$ Configure routers to update t0e 0ard5are cloc6 using NTP$ Configure routers to log 3essages to t0e syslog server$ Configure routers to ti3esta3p log 3essages$ Configure local users$ Configure 7T8 lines to accept SSH connections only$ Configure RSA 6ey pair on SSH server$ 7erify SSH connectivity fro3 PC client and router client$

Introduction
T0e net5or6 topology s0o5s t0ree routers$ 8ou 5ill configure NTP and Syslog on all routers$ 8ou 5ill configure SSH on R,$ Net5or6 Ti3e Protocol (NTP+ allo5s routers on t0e net5or6 to sync0roni9e t0eir ti3e settings 5it0 an NTP server$ A group of NTP clients t0at o4tain ti3e and date infor3ation fro3 a single source 0ave 3ore consistent ti3e settings and Syslog 3essages generated can 4e analy9ed 3ore easily$ T0is can 0elp 50en trou4les0ooting issues 5it0 net5or6 pro4le3s and attac6s$ :0en NTP is i3ple3ented in t0e net5or6, it can 4e set up to sync0roni9e to a private 3aster cloc6, or to a pu4licly availa4le NTP server on t0e .nternet$ T0e NTP Server is t0e 3aster NTP server in t0is la4$ 8ou 5ill configure t0e routers to allo5 t0e soft5are cloc6 to 4e sync0roni9ed 4y NTP to t0e ti3e server$ Also, you 5ill configure t0e routers to periodically update t0e 0ard5are cloc6 5it0 t0e ti3e learned fro3 NTP$ Ot0er5ise, t0e 0ard5are cloc6 5ill tend to gradually lose or gain ti3e (drift+ and t0e soft5are cloc6 and 0ard5are cloc6 3ay 4eco3e out of sync0roni9ation 5it0 eac0 ot0er$ T0e Syslog Server 5ill provide 3essage logging in t0is la4$ 8ou 5ill configure t0e routers to identify t0e re3ote 0ost (Syslog server+ t0at 5ill receive logging 3essages$ 8ou 5ill need to configure ti3esta3p service for logging on t0e routers$ )isplaying t0e correct ti3e and date in Syslog 3essages is vital 50en using Syslog to 3onitor a net5or6$ .f t0e correct ti3e and date of a 3essage is not 6no5n, it can 4e difficult to deter3ine 50at net5or6 event caused t0e 3essage$ R# is an .SP connected to t5o re3ote net5or6s: R1 and R,$ T0e local ad3inistrator at R, can perfor3 3ost router configurations and trou4les0ooting; 0o5ever, since R, is a 3anaged router, t0e .SP needs access to R, for occasional trou4les0ooting or updates$ To provide t0is access in a secure 3anner, t0e ad3inistrators 0ave agreed to use Secure S0ell (SSH+$ 8ou use t0e C<. to configure t0e router to 4e 3anaged securely using SSH instead of Telnet$ SSH is a net5or6 protocol t0at esta4lis0es a secure ter3inal e3ulation connection to a router or ot0er net5or6ing device$ SSH encrypts all infor3ation t0at passes over t0e net5or6 lin6 and provides aut0entication of t0e re3ote co3puter$ SSH is rapidly replacing Telnet as t0e re3ote login tool of c0oice for net5or6 professionals$ T0e servers 0ave 4een pre-configured for NTP and Syslog services respectively$ NTP 5ill not re=uire aut0entication$ T0e routers 0ave 4een pre-configured 5it0 t0e follo5ing: *na4le pass5ord: ciscoenpa$$ Pass5ord for vty lines: ciscovtypa$$ Static routing

All contents are Copyrig0t 1 1""#2#

" Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$

Page # of '

CCNA Security

Task %&

'onfigure routers as (TP 'lients)

Step 1. Test Connectivity Ping fro3 PC-C to R,$ Ping fro3 R# to R,$ Telnet fro3 PC-C to R,$ Telnet fro3 R# to R,$

Step 2. Configure R1, R2 and R3 as NTP clients. R1(config)# ntp server 192.168.1.5 R2(config)# ntp server 192.168.1.5 R3(config)# ntp server 192.168.1.5 7erify client configuration using t0e co33and s ow ntp status$ Step 3. Configure routers to update hardware cloc . Configure R1, R# and R, to periodically update t0e 0ard5are cloc6 5it0 t0e ti3e learned fro3 NTP$ R1(config)# ntp update-calendar R2(config)# ntp update-calendar R3(config)# ntp update-calendar 7erify t0at t0e 0ard5are cloc6 5as updated using t0e co33and s ow clock$ Step !. Configure routers to ti"esta"p log "essages. Step #. Configure ti"esta"p service for logging on the routers. R1(config)# service timestamps log datetime msec R2(config)# service timestamps log datetime msec R3(config)# service timestamps log datetime msec

Task *&

'onfigure routers to log messages to t e Syslog Server)

Step $. Configure the routers to identify the re"ote host %Syslog Server& that will receive logging "essages. R1(config)# logging 192.168.1.6 R2(config)# logging 192.168.1.6 R3(config)# logging 192.168.1.6 T0e router console 5ill display a 3essage t0at logging 0as started$ Step '. (erify logging configuration using the co""and show logging. Step ). *+a"ine logs of the Syslog server. Fro3 t0e 'onfig ta4 of t0e Syslog server>s dialogue 4o?, select t0e Syslog services 4utton$ O4serve t0e logging 3essages received fro3 t0e routers$ (ote& <og 3essages can 4e generated on t0e server 4y e?ecuting co33ands on t0e router$ For e?a3ple, entering and e?iting glo4al configuration 3ode 5ill generate an infor3ational configuration 3essage$

All contents are Copyrig0t 1 1""#2#

" Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$

Page , of '

CCNA Security

Task +&

'onfigure ,+ to support SS- connections)

Step ,. Configure a do"ain na"e. Configure a do3ain na3e of ccnasecurity)com on R,$ R3(config)# ip domain-name ccnasecurity.com Step 1-. Configure users for login fro" the SS. client on R3.

Create a user .) of SS-admin 5it0 t0e 0ig0est possi4le privilege level and a secret pass5ord of ciscoss pa$$$ R3(config)# username SSHadmin privilege 15 secret ciscosshpa55 Step 11. Configure the inco"ing (T/ lines on R3.

@se t0e local user accounts for 3andatory login and validation$ Accept only SSH connections$ R3(config)# line vty 0 4 R3(config-line)# login local R3(config-line)# transport input ssh Step 12. *rase e+isting ey pairs on R3. ey !eroi!e rsa

Any e?isting RSA 6ey pairs s0ould 4e erased on t0e router$ R3(config)#crypto (ote& .f no 6eys e?ist, you 3ig0t receive t0is 3essage: % No Signature RSA Keys found in configuration$ 0enerate the RS1 encryption ey pair for R3.

Step 13.

T0e router uses t0e RSA 6ey pair for aut0entication and encryption of trans3itted SSH data$ Configure t0e RSA 6eys 5it0 a 3odulus of %.*/$ T0e default is '1#, and t0e range is fro3 ,% to # A&$ R3(config)# crypto ey generate rsa ["nter] !e na"e for t!e #eys $ill %e& R3'ccnasecurity'co" (!oose t!e si)e of t!e #ey "odulus in t!e range of 3*+ to 2+,- for your .eneral /ur0ose Keys' (!oosing a #ey "odulus greater t!an 112 "ay ta#e a fe$ "inutes' 2o$ "any %its in t!e "odulus [112]&1024 % .enerating 1+2, %it RSA #eys3 #eys $ill %e non-e40orta%le'''[5K] (ote& T0e co33and to generate RSA encryption 6ey pairs for R, in Pac6et Tracer differs fro3 t0ose used in t0e la4$ (erify the SS. configuration.

Step 1!.

@se t0e sho# ip ssh co33and to see t0e current settings$ 7erify t0at t0e aut0entication ti3eout and retries are at t0eir default values of 1# and ,$ Step 1#. Configure SS. ti"eouts and authentication para"eters.

T0e default SSH ti3eouts and aut0entication para3eters can 4e altered to 4e 3ore restrictive$ Set t0e ti3eout to 0. seconds, t0e nu34er of aut0entication retries to *, and t0e version to *$ R3(config)# ip ssh time-out 90 R3(config)# ip ssh authentication-retries 2 R3(config)# ip ssh version 2

All contents are Copyrig0t 1 1""#2#

" Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$

Page A of '

CCNA Security .ssue t0e sho# ip ssh co33and again to confir3 t0at t0e values 0ave 4een c0anged$ Step 1$. 1tte"pt to connect to R3 via Telnet fro" PC2C.

Open t0e )es6top of PC-C$ Select t0e Co33and Pro3pt icon$ Fro3 PC-C, enter t0e co33and to connect to R, via Telnet$ /(6 telnet 192.168.$.1 T0is connection s0ould fail, since R, 0as 4een configured to accept only SSH connections on t0e virtual ter3inal lines$ Step 1'. Connect to R3 using SS. on PC2C.

Open t0e )es6top of PC-C$ Select t0e Co33and Pro3pt icon$ Fro3 PC-C, enter t0e co33and to connect to R, via SSH$ :0en pro3pted for t0e pass5ord, enter t0e pass5ord configured for t0e ad3inistrator ciscoss pa$$$ /(6 ssh %l SSHadmin 192.168.$.1 Step 1). Connect to R3 using SS. on R2.

.n order to trou4les0oot and 3aintain t0e R, router, t0e ad3inistrator at t0e .SP 3ust use SSH to access t0e router C<.$ Fro3 t0e C<. of R#, enter t0e co33and to connect to R, via SSH version # using t0e SSHad3in user account$ :0en pro3pted for t0e pass5ord, enter t0e pass5ord configured for t0e ad3inistrator: ciscoss pa$$$ R2# ssh %v 2 %l SSHadmin 10.2.2.1 Step 1,. Chec results.

8our co3pletion percentage s0ould 4e 1 B$ Clic6 ' eck ,esults to see feed4ac6 and verification of 50ic0 re=uired co3ponents 0ave 4een co3pleted$

All contents are Copyrig0t 1 1""#2#

" Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$

Page ' of '