Cisco : Enable SSH on Cisco Switch, Router and ASA

When you configure a Cisco device, you need to use a console cable and connect directly to the system to access it. Follow the SSH setup below, will enable SSH access to your Cisco devices, since SSH is not enabled by default. Once you enable SSH, you can then access it remotely using SecureCRT or any other SSH client.

Set hostname and domain-name

The hostname has to have a hostname and domain-name.

switch# config t
switch(config)# hostname tpw-switch
tpw-switch(config)# ip domain-name thepacketwizard.com

Setup Management IP

In the following example, the management ip address will be set to 10.100.101.2 in the 101 VLAN. The default gateway points to the firewall, which is 10.100.101.1

tpw-switch# ip default-gateway 10.100.101.1
tpw-switch# interface vlan 101
tpw-switch(config-if)# ip address 10.100.101.2 255.255.255.0

Generate the RSA Keys

The switch or router should have RSA keys that it will use during the SSH process. So, generate these using crypto command as shown below.

tpw-switch(config)# crypto key generate rsa
  The name for the keys will be: tpw-switch.thepacketwizard.com
  Choose the size of the key modulus in the range of 360 to 2048 for your
    General Purpose Keys. Choosing a key modulus greater than 512 may take
    a few minutes.

How many bits in the modulus [512]: 1024
  % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Setup the Line VTY configurations

Setup the following line vty configuration, where input transport is set to SSH only. Set the login to local, and password to 7, and make sure Telnet is not enabled:

tpw-switch# line vty 0 4
 tpw-switch(config-line)# transport input ssh
 tpw-switch(config-line)# login local
 tpw-switch(config-line)# password 7
 tpw-switch(config-line)# exit

If you have not set the console line yet, use the following:

tpw-switch# line console 0
tpw-switch(config-line)# logging synchronous
tpw-switch(config-line)# login local

Create the username password

If you don’t have an username created already, here is how:

tpw-switch# config t
Enter configuration commands, one per line.  End with CNTL/Z.
tpw-switch(config)# username thepacketwizard password tpwpassword123
tpw-switch# enable secret tpwenablepassword

Make sure the password-encryption service is turned-on, which will encrypt the password, and when you do “show run”, you’ll see only the encrypted password and not clear-text password.

tpw-switch# service password-encryption

Verify SSH access

From the switch, if you do ‘show ip ssh’, it will confirm that the SSH is enabled on this Cisco device.

tpw-switch# show ip ssh
 SSH Enabled - version 1.99
 Authentication timeout: 120 secs; Authentication retries: 3

After the above configurations, login from a remote machine to verify that you can ssh to this cisco switch.

In the example, 10.100.101.2 is the management ip-address of the switch.

TPW-Remote-Computer# ssh 10.100.101.2
 login as: thepacketwizard
 Using keyboard-interactive authentication.
 Password:

tpw-switch>en
 Password:
 tpw-switch#

You are now setup and logged in on SSH!

To read more on SSH visit: https://en.wikipedia.org/wiki/Secure_Shell

Network Utilities : SuperPutty Setup

I only use SuperPutty with GNS3, here is how.

  • GNS3 as of 1.5.2 doesn’t include the latest version so download it from here:
  • Start SuperPutty which will present you with the configuration options.  Set the following:
    • YOU MUST USE THE PUTTY PROVIDED WITH GNS3.  If you don’t, you’ll receive errors “unknown option -wt” when opening consoles with SuperPutty from GNS3
    • putty.exe location (Required): C:\Program Files\GNS3\putty.exe
      • Or where-ever GNS3 is installed
    • Click the “Advanced: tab > Check off “Only allow single instance of SuperPutty to run”
  • Set the other options however you like
  • Open up Preferences in GNS3 > General > Console applications tab
  • Change the console application for telnet and serial to use SuperPutty
  • If you want to use keep the same color scheme that is used by the regular Putty console, add “-gns3 5 -skin 4” at the end i.e.
    • c:\dropbox\apps\superputty\SuperPutty.exe -telnet “%h -P %p -wt \”%d\” -gns3 5 -skin 4″

GNS3 : Install and Configure

This install is intended for running IOU/IOL images on the GNS3 VM because it is the preferable way of running IOS in GNS3 now.

Pre-Requisites:

  1. Install VMware Workstation Player
    http://www.vmware.com/products/player/playerpro-evaluation.html
  2. Install VMware VIX API
    https://www.vmware.com/support/developer/vix-api/
  3. Install Wireshark
    https://www.wireshark.org/download.html
    Install WinPCAP provided by Wireshark

 

Install GNS3:

  1. Install GNS3
    https://www.gns3.com/software/download
  2. Install only the following components:

  1. We don’t need Dynamips/QEMU/VPCS/Cpulimit because we’ll be running everything off of the GNS3 VM server.  We don’t install SuperPutty from here because its not the latest version and the first thing it does when you open it is bug you about upgrading to the latest version.  There are setup instructions for it below.

Install Loopback Adapter

  1. Open an Admin Command Prompt

cd “c:\Program Files\gns3”

loopback-manager.cmd

  1. Install a new Loopback interface (reboot required)
  2. Reboot
  1. Rename the new Loopback adapter to “Loopback”
  2. Assign it an IP address

 

Setup GNS3 VM:

  1. Download the GNS3 VM version that matches the installed GNS3 version
    https://github.com/GNS3/gns3-gui/releases
  2. Import the VM and keep the defaults
  3. Add a 3rd Network Adapter that will be in Bridged mode and connected to the Loopback adapter (Microsoft KM-TEST Loopback Adapter)

  1. Power on the VM
  2. SSH into the VM using gns3/gns3 for the credentials
    1. Sudo to root and run the following:
      1. echo ‘127.0.0.127 xml.cisco.com’ >> /etc/hosts
  3. Leave the VM powered on, we’re done with it for now
  4. Open an Administrator command prompt
  5. cd into the GNS3 install directory and run the following:
    1. IMPORTANT: On my work laptop, added the additional interfaces broke network connectivity to the VM after they were added.  I have no idea why but after I reinstalled VMware Workstation which uninstalled all the adapters, I was able to connect to the VM again.  On the work laptop, I’m running without the additional adapters and it seems fine so far.
    2. vmnet-manager.cmd
    3. Select option 1 which will add the vmnet interface 2 to 19 (this can take a while, please be patient)
    4. If it looks like this process has hung, you follow step 2 in the url below to add the adapters
      https://www.gns3.com/support/docs/how-to-use-vmware-player-in-gns3

 

Configure GNS3 to use the GNS3 VM server:

  1. Open up GNS3
  2. Goto Edit > Preferences

    Be sure to leave “Start VM in headless mode” unchecked.  I ran into issues where the VM would not automatically startup when opening GNS3 and also cause the GNS3 process to linger when closing out of it.
  3. Disable “Use of the local server” for Dynamips and QEMU.  We’ll use the GNS3 VM instead for running those processes.

Packet capture VPCS Dynamips IOS routers General settings Use the local server Path to Dynamips:

 

 

Create the L2/L3 IOU Devices:

  1. Goto Edit > Preferences
  2. Set the iourc file to use with the license (IOU devices need a license to run)
  3. Create the L2 image:
  4. Create the L3 image:

Add Device Image

New appliance template > Add and IOU > Run the IOU > New Image > Browse

 

i86bi-linux-l2-ipbasek9-15.1e.bin – IOU-L2

i86bi-linux-l3-adventerprisek9-15.4.2T.bin – IOU-L3

 

 

Operational Notes:

  • Sometimes a restart of all the routers/switches are required when new links are created between devices.  Even though the line protocols show as up, I’ve found a restart is required for traffic to actually pass through them.

 

If you want to use SuperPutty as the SSH client for GNS3 click this link:
SuperPutty with GNS3

SecureCRT : Logging

Logging your session when doing any kind of network work is very important and can save your ass. It has saved mines on multiple occasions. One reason is it allows you to look back and see what you may have done wrong, so you can troubleshoot a issue more effectively. Other reasons are it give you the user a quick way to backup a device if you show the configuration file when working on it. I make it a habit of showing the configuration file before I do any work, so I always have a back out strategy incase something goes wrong.

SecureCRT Logging

Options > Edit Session Defaults

File path to where you are storing your logs /Logs/%M-%D-%Y/%S (%H) — %h-%m.log

Start Log Upon Connect

Append to File

Start recording S (%H) – %h:%m:%s

Stop recording S (%H) – %h:%m:%s

Happy Logging!