Scenarios, where its required to have an SSH Service in packet tracer simulation
As we all know, Cisco Packet Tracer is a network simulation tool that will assist you visualize your network configuration for innovative designs built by you. It has several almost all the devices that can be in a network stack, for example
- Network Devices like L2 , L3 swicthes
- End devices like PCs
- Web servers
- Firewalls and etc.
Hence if we want to have a web server, we just need to drag and drop the web server from the devices section and configure it with the necessary parameters.
But we do not have an SSH server separately. That brought me to write this post, to share my thoughts on testing an SSH connection. As of my personal experience I've been developing a network security modal for a university network as an assignment. So there it had some Access control lists ( ACLs) where it says allow only SSH traffic to a certain IP address. So when it was required to test the behavior of the firewall on SSH traffic, there was no option to test it.
How can we Do it then ??
Our aim is to test an SSH connection ( SSH service ) running on a particular host which has the given IP address. So, we can make use of the SSH services in the network devices such as L2,L3 switches or routers in the Cisco Packet tracer. Normally these devices have SSH services running on them for secure remote configuration.We can make use of it since its just an SSH service running on the device which has an IP address ( Just like an SSH server ) .
Let's Try it with a router in Cisco Packet Tracer
In this demo, we ll be connecting the PC to the router directly ,and have them in the same sub net so that it can be simple to implement and test.
If you do not have prior knowledge on how to use the packet tracer, i would recommend you to follow the official course which is free, hence you can get an idea about whats going on.
Network configuration details
Let's have static IP configuration ( so no need to worry about a DHCP server)
Interface : Fast-Ethernet 0 ( you can choose your own interface ) IP address : 192.168.1.10 Subnet mask : 255.255.255.0
Router ( Modal - ISR4321)
Interface : Gigabit-Ethernet 0/0/0 ( Can differ with the router modal ) IP address : 192.168.1.100 Subnet mask : 255.255.255.0
Note that we have to turn the status of the interface to Up ( on ) in the router.
For all these configuration we can use the GUI provided in the Cisco packet tracer. But its better if we can try it with the CLI of the device.
Let's Enable SSH on the router.
Before doing anything let's first change the router's name from the default name, if not its going to a throw errors when we try to generate the crypto key.
enable configure terminal Enter configuration commands, one per line. End with CNTL/Z. host hostname my-routeren
Now Add a IP domain name and Generate the Crypto key
Create the Cryto key using RSA ( SSH is a secure connetion not just like telnet )
my-router(config)#ip domain-name SSH-1 my-router(config)#crypto key generate rsa The name for the keys will be: my-router.SSH-1 Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus : 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] my-router(config)# *Mar 1 0:15:28.457: %SSH-5-ENABLED: SSH 1.99 has been enabled
Note that , it will prompt to enter the bits in module, we will stick to 1024 which is the standard practice
Now configure the line Virtual teletype (VTY) which is used to facilitate a connection to the daemon via Telnet.
- Add the transport mode input as SSH
- Make login method as local
- Name the SSH version to be used
my-router(config)#line vty 0 15 my-router(config-line)#tra my-router(config-line)#transport ? input Define which protocols to use when connecting to the terminal server output Define which protocols to use for outgoing connections my-router(config-line)#transport in my-router(config-line)#transport input ? all All protocols none No protocols ssh TCP/IP SSH protocol telnet TCP/IP Telnet protocol my-router(config-line)#transport input ssh my-router(config-line)#login local my-router(config-line)#ip ssh ver 2
Note that the
? will be really useful in the configuration, it will list all the possible command inputs when you have partially typed something.
Setup a username and a password. give the privilege level as 15 so that the user can directly go to the Privileged mode in the router.
my-router(config)#username john privilege 15 password cisco123
The configuration on the router is almost over. But do not forget to save the running configuration to startup configuration , if not when the router is rebooted all the configurations is going to be lost.so do write this to startup configuration , switch back to privileged mode
my-router(config)#exit my-router# %SYS-5-CONFIG_I: Configured from console by console my-router#write memory Building configuration... [OK] my-router#
We are good to go now,
Let's Test the SSH connection from PC, by running the following command in the PC's command prompt
C:\>ssh -l john 192.168.1.100 Password: my-router#
give the password as cisco123 for the username john that is already created in the router.
From the above configuration we have set up a SSH server on the IP address 192.168.1.100 , its time to use it wherever we need. For example, as it's explained at the beginning, we can connect this router to the firewall and then check the behavior of the firewall from an outside PC for the SSH traffic. Here we are not using this router to route the traffic, it just acts as a SSH server. Obviously we can make use of this router 's other functionalities as we want meanwhile using it for testing SSH connection.