Pnetlab practical exercise: teach you step by step how to log in to the firewall securely through SSH!

1. Experimental Introduction

About this experiment

During network maintenance, network administrators usually need to log in to many devices. Logging in to each device through the console port is cumbersome and time-consuming. In addition, the data transmitted when Telnet remotely logs in to the device is plain text, which is not secure enough. To improve security, you can configure the SSH function on the device so that remote administrators can log in and manage the device securely through SSH.

Purpose

Through this experiment, you can master the basic methods of configuring the SSH remote login function of the device.

Experimental Network Introduction

2. Experimental Planning

The management PC uses a common network cable to connect to the GE1/0/0 port of the device, and the management PC uses PuTTY software to remotely log in to the device.

3. Experimental Task Configuration

1. Configuration ideas

2. Configuration steps

Step 1: Log in to the device through other methods, such as console login.

Step 2: Enable SSH on the device

 [FW]stelnet server enable Info: Succeeded in starting the Stelnet server.

Step 3: Configure the login interface.

Configure the IP address of the interface for login

 [FW]int g1/0/0 [FW-GigabitEthernet1/0/0]ip add 10.1.2.1 24 [FW-GigabitEthernet1/0/0]

After completing the above configuration commands, use display this to view the current configuration. As shown below:

Configure the interface access control function.

 [FW-GigabitEthernet1/0/0]service-manage enable [FW-GigabitEthernet1/0/0]service-manage ssh permit

Configure interfaces to join security zones

 [FW]firewall zone trust [FW-zone-trust]add interface GigabitEthernet 1/0/0

Configure security policies to allow the management PC to access G1/0/0 of the firewall.

 [FW]security-policy [FW-policy-security]rule name trus-local [FW-policy-security-rule-trus-local]source-zone trust [FW-policy-security-rule-trus-local]destination-zone local [FW-policy-security-rule-trus-local]action permit

After completing the above configuration commands, use display this to view the current configuration. As shown below:

Step 4: Configure administrator information

Configure the VTY administrator authentication mode to AAA:

 [FW]user-interface vty 0 4 [FW-ui-vty0-4]authentication-mode aaa [FW-ui-vty0-4]protocol inbound ssh [FW-ui-vty0-4]user privilege level 3

Create an SSH administrator account sshuser, specify the authentication method as password, and configure the password as Admin@123, and the service method as SSH.

 [FW]aaa [FW-aaa]manager-user sshuser [FW-aaa-manager-user-sshuser]password cipher Admin@123 [FW-aaa-manager-user-sshuser]service-type ssh [FW-aaa-manager-user-sshuser]level 3

Bind roles to administrators:

 [FW-aaa]bind manager-user sshuser role system-admin

Configure an SSH user.

 [FW]ssh user ssh [FW]ssh user sshuser authentication-type password [FW]ssh user sshuser service-type stelnet

Step 5: Generate a local key pair.

 [FW]rsa local-key-pair create The key name will be: FW_Host The range of public key size is (2048 ~ 2048). NOTES: If the key modulus is greater than 512, it will take a few minutes. Input the bits in the modulus[default = 2048]: Generating keys... ......+++++ ........................++ ....++++ ...........++

Step 6: Log in to your device

Configure the address to 10.1.2.100/24 ​​on the management PC, run PuTTY, fill in the device SSH parameters, and log in to the device. # Select Session, select SSH for Connectiontype protocol, fill in 10.1.2.1 for Host Name (or IP address), and configure the remaining parameters as shown in the figure.

Verification

Click Open connection in step 6, press Enter, enter the username sshuser and the password Admin@123. When the following information appears on the PuTTY interface, it means that SSH login to the device is successful.