PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Topology Diagram

Addressing Table
Device R1 R# R, PC-A PC-/ PC-C Interface FA !1 S ! ! ()C*+ S ! ! S ! !1 ()C*+ FA !1 S ! !1 N.C N.C N.C IP Address 1"#$1%&$1$1 1 $1$1$1 1 $1$1$# 1 $#$#$# 1"#$1%&$,$1 1 $#$#$1 1"#$1%&$1$' 1"#$1%&$1$% 1"#$1%&$,$' Subnet Mask #''$#''$#''$ #''$#''$#''$#'# #''$#''$#''$#'# #''$#''$#''$#'# #''$#''$#''$ #''$#''$#''$#'# #''$#''$#''$ #''$#''$#''$ #''$#''$#''$ Default Gateway N!A N!A N!A N!A N!A N!A 1"#$1%&$1$1 1"#$1%&$1$1 1"#$1%&$,$1 Switch Port S1 FA N!A N!A N!A S, FA N!A S1 FA S# FA S, FA !'

!' !% !1& !%

All contents are Copyrig0t 1 1""#2#

" Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$

Page 1 of 5

CCNA Security

earning !b"ectives
Configure routers as NTP clients$ Configure routers to update t0e 0ard6are cloc7 using NTP$ Configure routers to log 3essages to t0e syslog server$ Configure routers to ti3esta3p log 3essages$ Configure local users$ Configure 8T9 lines to accept SSH connections only$ Configure RSA 7ey pair on SSH server$ 8erify SSH connectivity fro3 PC client and router client$

Introduction
T0e net6or7 topology s0o6s t0ree routers$ 9ou 6ill configure NTP and Syslog on all routers$ 9ou 6ill configure SSH on R,$ Net6or7 Ti3e Protocol (NTP+ allo6s routers on t0e net6or7 to sync0roni:e t0eir ti3e settings 6it0 an NTP server$ A group of NTP clients t0at o4tain ti3e and date infor3ation fro3 a single source 0ave 3ore consistent ti3e settings and Syslog 3essages generated can 4e analy:ed 3ore easily$ T0is can 0elp 60en trou4les0ooting issues 6it0 net6or7 pro4le3s and attac7s$ ;0en NTP is i3ple3ented in t0e net6or7, it can 4e set up to sync0roni:e to a private 3aster cloc7, or to a pu4licly availa4le NTP server on t0e .nternet$ T0e NTP Server is t0e 3aster NTP server in t0is la4$ 9ou 6ill configure t0e routers to allo6 t0e soft6are cloc7 to 4e sync0roni:ed 4y NTP to t0e ti3e server$ Also, you 6ill configure t0e routers to periodically update t0e 0ard6are cloc7 6it0 t0e ti3e learned fro3 NTP$ Ot0er6ise, t0e 0ard6are cloc7 6ill tend to gradually lose or gain ti3e (drift+ and t0e soft6are cloc7 and 0ard6are cloc7 3ay 4eco3e out of sync0roni:ation 6it0 eac0 ot0er$ T0e Syslog Server 6ill provide 3essage logging in t0is la4$ 9ou 6ill configure t0e routers to identify t0e re3ote 0ost (Syslog server+ t0at 6ill receive logging 3essages$ 9ou 6ill need to configure ti3esta3p service for logging on t0e routers$ )isplaying t0e correct ti3e and date in Syslog 3essages is vital 60en using Syslog to 3onitor a net6or7$ .f t0e correct ti3e and date of a 3essage is not 7no6n, it can 4e difficult to deter3ine 60at net6or7 event caused t0e 3essage$ R# is an .SP connected to t6o re3ote net6or7s: R1 and R,$ T0e local ad3inistrator at R, can perfor3 3ost router configurations and trou4les0ooting< 0o6ever, since R, is a 3anaged router, t0e .SP needs access to R, for occasional trou4les0ooting or updates$ To provide t0is access in a secure 3anner, t0e ad3inistrators 0ave agreed to use Secure S0ell (SSH+$ 9ou use t0e C=. to configure t0e router to 4e 3anaged securely using SSH instead of Telnet$ SSH is a net6or7 protocol t0at esta4lis0es a secure ter3inal e3ulation connection to a router or ot0er net6or7ing device$ SSH encrypts all infor3ation t0at passes over t0e net6or7 lin7 and provides aut0entication of t0e re3ote co3puter$ SSH is rapidly replacing Telnet as t0e re3ote login tool of c0oice for net6or7 professionals$ T0e servers 0ave 4een pre-configured for NTP and Syslog services respectively$ NTP 6ill not re>uire aut0entication$ T0e routers 0ave 4een pre-configured 6it0 t0e follo6ing: *na4le pass6ord: ciscoenpa## Pass6ord for vty lines: ciscovtypa## Static routing

All contents are Copyrig0t 1 1""#2#

" Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$

Page # of 5

CCNA Security

Task $%
Step 1.

&onfigure routers as 'TP &lients(

Test Connectivity Ping fro3 PC-C to R,$ Ping fro3 R# to R,$ Telnet fro3 PC-C to R,$ Telnet fro3 R# to R,$

Step 2.

Configure R1, R2 and R3 as NTP clients.

8erify client configuration using t0e co33and show ntp status$ Step 3. Configure routers to update hardware cloc .

Configure R1, R# and R, to periodically update t0e 0ard6are cloc7 6it0 t0e ti3e learned fro3 NTP$ 8erify t0at t0e 0ard6are cloc7 6as updated using t0e co33and show clock$ Step !. Step #. Configure routers to ti"esta"p log "essages. Configure ti"esta"p service for logging on the routers.

Task )%
Step $.

&onfigure routers to log messages to the Syslog Server(

Configure the routers to identify the re"ote host %Syslog Server& that will receive logging "essages.

T0e router console 6ill display a 3essage t0at logging 0as started$ Step '. Step ). (erify logging configuration using the co""and show logging. *+a"ine logs of the Syslog server.

Fro3 t0e &onfig ta4 of t0e Syslog server?s dialogue 4o@, select t0e Syslog services 4utton$ O4serve t0e logging 3essages received fro3 t0e routers$ 'ote% =og 3essages can 4e generated on t0e server 4y e@ecuting co33ands on t0e router$ For e@a3ple, entering and e@iting glo4al configuration 3ode 6ill generate an infor3ational configuration 3essage$

Task *%
Step ,.

&onfigure +* to support SS, connections(

Configure a do"ain na"e.

Configure a do3ain na3e of ccnasecurity(com on R,$ Step 1-. Configure users for login fro" the SS. client on R3. Create a user .) of SS,admin 6it0 t0e 0ig0est possi4le privilege level and a secret pass6ord of ciscosshpa##$ Step 11. Configure the inco"ing (T/ lines on R3. Ase t0e local user accounts for 3andatory login and validation$ Accept only SSH connections$ Step 12. *rase e+isting ey pairs on R3. Any e@isting RSA 7ey pairs s0ould 4e erased on t0e router$

All contents are Copyrig0t 1 1""#2#

" Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$

Page , of 5

CCNA Security 'ote% .f no 7eys e@ist, you 3ig0t receive t0is 3essage: % No Signature RSA Keys found in configuration$

Step 13. 0enerate the RS1 encryption ey pair for R3. T0e router uses t0e RSA 7ey pair for aut0entication and encryption of trans3itted SSH data$ Configure t0e RSA 7eys 6it0 a 3odulus of $-).$ T0e default is '1#, and t0e range is fro3 ,% to # 5&$ R3(config)# crypto key generate rsa [Enter] The name for the keys i!! "e# R3$ccnasecurity$com %hoose the si&e of the key modu!us in the range of 3'( to )(*+ for your ,enera! -ur.ose Keys$ %hoosing a key modu!us greater than /0) may take a fe minutes$ 1o many "its in the modu!us [/0)]#1024 % ,enerating 0()* "it RSA keys2 keys i!! "e non3e4.orta"!e$$$[5K] 'ote% T0e co33and to generate RSA encryption 7ey pairs for R, in Pac7et Tracer differs fro3 t0ose used in t0e la4$

Step 1!. (erify the SS. configuration. Ase t0e show ip ssh co33and to see t0e current settings$ 8erify t0at t0e aut0entication ti3eout and retries are at t0eir default values of 1# and ,$ Step 1#. Configure SS. ti"eouts and authentication para"eters. T0e default SSH ti3eouts and aut0entication para3eters can 4e altered to 4e 3ore restrictive$ Set t0e ti3eout to /- seconds, t0e nu34er of aut0entication retries to ), and t0e version to )$ .ssue t0e show ip ssh co33and again to confir3 t0at t0e values 0ave 4een c0anged$ Step 1$. 1tte"pt to connect to R3 via Telnet fro" PC2C. Open t0e )es7top of PC-C$ Select t0e Co33and Pro3pt icon$ Fro3 PC-C, enter t0e co33and to connect to R, via Telnet$ -%6 telnet 192.168.3.1 T0is connection s0ould fail, since R, 0as 4een configured to accept only SSH connections on t0e virtual ter3inal lines$ Step 1'. Connect to R3 using SS. on PC2C. Open t0e )es7top of PC-C$ Select t0e Co33and Pro3pt icon$ Fro3 PC-C, enter t0e co33and to connect to R, via SSH$ ;0en pro3pted for t0e pass6ord, enter t0e pass6ord configured for t0e ad3inistrator ciscosshpa##$ -%6 ssh l SSHad in 192.168.3.1 Step 1). Connect to R3 using SS. on R2. .n order to trou4les0oot and 3aintain t0e R, router, t0e ad3inistrator at t0e .SP 3ust use SSH to access t0e router C=.$ Fro3 t0e C=. of R#, enter t0e co33and to connect to R, via SSH version # using t0e SSHad3in user account$ ;0en pro3pted for t0e pass6ord, enter t0e pass6ord configured for t0e ad3inistrator: ciscosshpa##$ R)# ssh ! 2 l SSHad in 10.2.2.1 Step 1,. Chec results. 9our co3pletion percentage s0ould 4e 1 B$ Clic7 &heck +esults to see feed4ac7 and verification of 60ic0 re>uired co3ponents 0ave 4een co3pleted$
All contents are Copyrig0t 1 1""#2# " Cisco Syste3s, .nc$ All rig0ts reserved$ T0is docu3ent is Cisco Pu4lic .nfor3ation$ Page 5 of 5