Configuring and securing a Cisco router

The following tutorial was made using Cisco Packet Tracer. Cisco Packet Tracer is a free networking simulation tool downloadable from the following link after creating an account.
https://www.netacad.com/courses/packet-tracer

Considering the following topology, composed of a computer PC0 and two routers R1 and R2.

We need to start by configuring PC0.

Then we need to configure the router R2. From the ‘CLI’ tab hit ‘Enter’. Then type ‘en’ or ‘enable’ to activate the router then ‘conf t’ to enter configuration mode.

In order to change the name of the router, type ‘hostname R2’.

Then we will configure the interface ‘Gig0/0’ using the following commnds:

R2 (config)# interface g0/0

R2 (config-if)#ip add 10.0.0.1 255.0.0.0

R2 (config-if)#no shutdown

R2 (config-if)#exit

Configuring interface Gig0/1:

R2 (config)# interface g0/1

R2 (config-if)#ip add 11.0.0.1 255.0.0.0

R2 (config-if)#no shutdown

R2 (config-if)#exit

Next we will configure interface G0/0 on router R1.

R1 (config)# interface g0/0

R1 (config-if)#ip add 11.0.0.2 255.0.0.0

R1 (config-if)#no shutdown

R1 (config-if)#exit

We can see that the interfaces are now active.

Next we will configure a static  route on R1 in order to communicate with PC0.

R1(config)# ip route 10.0.0.0 255.0.0.0 g0/0

We can test the connection with a ping:

R1#PING 10.0.0.2

As the ping is succesful we will now configure the minimal length of passwords for the routers at 10 characters.

R1(config)#Security passwords min-length 10

R1(config)#enable password 1234567890

R2(config)#Security passwords min-length 10

R2(config)#enable password 1234567890

Next we will configure the closing of the VTY line after two minutes of inactivity and the closing of the console line after one minute and thirty seconds of inactivity.

R1(config)# line vty 0 4

R1(config-line)# exec-timeout 2

R1(config-line)# exit

R1(config)# line console 0

R1(config-line)#exec-timeout 1 30

R1(config-line)# exit

We use the same commands on router R2.

We will now configure an SSH access on both routers, using SSH version 2, a domain name and a RSA key length of 2048 bits.

Here we create an SSH user.

R1(config)#username user1 password 1234567890

We apply SSH on on the VTY line.

R1(config)#line vty 0 4

R1(config-line)#transport input ssh

R1(config-line)#login local

R1(config-line)#exit

The same configuration is applied on router R2.

We configure the router R2 in order to be blocked during 30 seconds if two SSH login attemps failed under at least ten seconds.

R2(config)#login block-for 30 attempts 2 within 10

  login on-failure

  login on-success

We can test from PC0:

From R2 we can see the failed login attempts:

Always make sure to save your changes on the router once in a while from the ‘Config tab’, click ‘Save’.

On router R1 we create a user named ‘cisco5’ we a level 5 of privilege, then we connect with SSH from PC0.

R1(config)#username cisco5 privilege 5 password 1234567890

From PC0 we can see the available commands for R1.

We will now create a user ‘cisco10’ withe a privilege level of 10, from PC0 we can see the following:

On R1 we create a user ‘cisco15’ with a privilege level of 15, we can see that there is a greater number of available commands from PC0.

We customize level 10 by adding the global configuration command:

R1(config)#privilege exec level 10 configure terminal

From PC0, we can see that user cisco5 has no access when executing ‘conf t’ command, but user ‘cisco10’ we can see the available commands:

We will now add the necessary commands in order to configure rip routing at level  10.

R1(config)#privilege exec level 10 configure terminal

R1(config)#privilege router level 10 network

R1 (config) #privilege configure level 10 router rip

FromPC0:

R1 (config) #router rip

R1 (config-router) #network 11.0.0.0

R1 (config-router) #exit

We create a user ‘cisco11’ with a privilege level of 11:

R1(config)#username cisco11 privilege 11 password 1234567890

Available commands for this user:

Leave a Comment

Your email address will not be published.