How to Configure SSH in Cisco Packet Tracer

Quick Insight

You can set up SSH on a Cisco router in Packet Tracer to lock down remote access. This secure shell keeps all login data scrambled from end to end. First, set a hostname and an IP domain on the device. Then generate RSA keys and turn on SSH version 2. Next, build a local user and tell the VTY lines to use SSH only. In short, your link is safe from prying eyes and you gain full, encrypted control of the network.

Updated:
Author:
Category:Packet Tracer Cisco Router
Read Time:11 min

SSH (Secure Shell) provides secure management of network devices. By using SSH, you establish a secure connection to a network device that you access, and your data is sent in encrypted form.

Configuring SSH in Packet Tracer

How to Enable SSH in a Cisco Router with Packet Tracer

SSH is a much safer protocol than the Telnet protocol and uses TCP port 22 by default. The port number may vary.

There are two versions of the SSH protocol. These are Version 1 and Version 2.

SSH V1 exploits several patented encryption algorithms and is vulnerable to a well-known vulnerability that could allow an attacker to enter data into the communication flow.

SSH V2, this release has an advanced key exchange algorithm that is not vulnerable to the same abuse and includes more powerful and comprehensive features:

• Encryption such as 3DES and AES.
• Use voice encryption Message Verification Code (MAC) algorithms for integrity checking.
• Support for public-key certificates.

We recommend that you use SSH V2 as far as possible to manage network devices remotely.

To enable SSH in the actual scenario, make sure that the file name of your Cisco IOS software is k9 (crypto).

The truth is, many older systems still use Telnet. If you want to see the security difference for yourself in the simulator, first try setting up a Telnet connection step by step.

Then, use Wireshark to look at the traffic from both protocols. This will show you clearly how they are different. When you see the difference with your own eyes, you will understand why SSH is so much better.

1. Create the Topology and Connect to the Router

Step 1

First, run Packet Tracer and then create a network topology, as shown in the image below.

Add one more router to the work area. We need it because after we set things up, we will create SSH connections between the routers.

After manually entering PC1’s IP settings, a question might arise: Is there a way to do this automatically? Of course there is.

When you learn how to turn on a DHCP server in your network, your work gets much easier. This saves you a lot of time, especially when you have many devices. I always set up DHCP first in every simulation.

SSH Connection from Router to Router

Step 2

Open the CLI prompt by clicking on the SYSNETTECH Router and press Enter to skip the initial configuration.

In the simulator, clicking on the router to open the CLI command prompt will do the job. But in the real world, your first contact with a device is different.

This means you need to connect using a console cable. Being in a server room, plugging your laptop into the console port of a router—that is a great experience. Even if you only try this basic step in the simulator, it is worth doing.

IOS Command Line Interface

2. Enable SSH on your Cisco Router

To enable SSH on the Router, perform the following commands in order.

Router>enable
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname SYSNETTECH
SYSNETTECH(config)#interface gigabitethernet 0/0
SYSNETTECH(config-if)#ip address 192.168.1.1 255.255.255.0
SYSNETTECH(config-if)#no shutdown
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
SYSNETTECH(config-if)#exit
SYSNETTECH(config)#ip domain name sysnettechsolutions.com
SYSNETTECH(config)#crypto key generate rsa
The name for the keys will be: SYSNETTECH.sysnettechsolutions.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
SYSNETTECH(config)#ip ssh version 2
*Mar 1 0:6:12.698: %SSH-5-ENABLED: SSH 1.99 has been enabled
SYSNETTECH(config)#ip ssh time-out 10
SYSNETTECH(config)#ip ssh authentication-retries 3
SYSNETTECH(config)#line vty 0 4
SYSNETTECH(config-line)#login local
SYSNETTECH(config-line)#privilege level 15
SYSNETTECH(config-line)#transport input ssh
SYSNETTECH(config-line)#exit
SYSNETTECH(config)#username cisco privilege 15 password cisco123
SYSNETTECH(config)#end
SYSNETTECH#wr
Building configuration...
[OK]
SYSNETTECH#

Enabling SSH on the Router

3. Assign IP Addresses to PCs

Step 1

Configure the IP settings of PC1 as follows.

Configure TCP/IP Settings for PC1

Step 2

To quickly configure the R1’s interface, double-click on it, click the Config tab in the window that opens, and then configure the Port Status option of the GigabitEthernet0/0 interface to On, then assign the IP address.

Assigning an IP Address to the Router's Interface

4. Establish an SSH Connection to the Router

Step 1

To test whether SSH is running, open the PC1 prompt and establish a connection using the command below.

ssh -l cisco 192.168.1.1
-l : Login anlamına gelmektedir.
cisco : Router'a bağlantı yapmak için kullanılacak kullanıcı adı.
192.168.1.1 : Router'ın IP adresi.

ssh -l cisco 192.168.1.1

Step 2

Enter the username and password you created, and as soon as you press Enter, the connection will be established, as shown in the image below.

Connected from PC to Router with SSH

Step 3

In the PC1 Command Prompt, execute the show ssh command. Then you can check the version of the SSH protocol being used for the connection.

Using the show ssh command on the router

5. Connect from Router to Router via SSH

Step 1

In this step, execute the following command to make SSH from Router to Router.

ssh -l cisco 192.168.1.1

Router Command Interface

Step 2

In the same way, enter the user account information you created on the Cisco Router and press Enter.

Using the SSH Command on the Router

Step 3

As you can see in the image below, a successful SSH connection is made.

Connection to Router Successful

Show Commands for SSH Connection

  • Running Config
  • SSH Connections
  • IP SSH Info

SYSNETTECH#show running-config
Building configuration...

Current configuration : 799 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SYSNETTECH
!
no ip cef
no ipv6 cef
!
username cisco privilege 15 password 0 cisco123
!
license udi pid CISCO1941/K9 sn FTX152488GK
!
ip ssh version 2
ip ssh time-out 10
ip domain-name sysnettechsolutions.com
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login local
transport input ssh
privilege level 15
!
end
SYSNETTECH#


SYSNETTECH#show ssh
Connection Version Mode Encryption Hmac State Username
133 1.99 IN aes128-cbc hmac-sha1 Session Started cisco
133 1.99 OUT aes128-cbc hmac-sha1 Session Started cisco
133 1.99 IN aes128-cbc hmac-sha1 Session Started cisco
133 1.99 OUT aes128-cbc hmac-sha1 Session Started cisco
%No SSHv1 server connections running.
SYSNETTECH#


SYSNETTECH#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 10 secs; Authentication retries: 3
SYSNETTECH#

Video

With the simulator, you can watch the video below to enable SSH on the Router and connect from the PC. Also, subscribe to our YouTube channel to support us!

Video Thumbnail
Watch on YouTube

FAQ about SSH on Cisco Router

Why should I bother with SSH when Telnet exists?

Telnet traffic travels over the network as plain text. With a packet sniffer, you can see your username and password in seconds. SSH, on the other hand, turns the data into a mixed-up puzzle. Anyone in the middle sees only meaningless characters.
Especially today, when penetration tests are so common, this encryption is not a luxury but a necessity. Although version 1 has some weaknesses, the article describes how version 2 uses military-grade algorithms like AES and 3DES.
It also guarantees data integrity. That means the ‘shut down the router’ command you send cannot be changed into a ‘format’ command by an attacker on the way. Therefore, even in a lab, you should always get into the SSH habit.

The ‘crypto key generate rsa’ command gets stuck when generating a key in Packet Tracer. What am I missing?

This error is one of the most common traps my students fall into. The router needs an identity to generate a key. If you do not give it a name, it simply refuses.
You must first enter ‘ip domain-name’ in the command line to set a domain name. A made-up address like ‘sysnettechsolutions.com’ from the article will work. Even if it is not a real network, the simulator strictly follows this rule.
Another issue is the key size. 512 bits is too weak today. I always recommend choosing at least 1024 bits. It takes a little longer, but saves you trouble later. Once you generate the key, the device is ready for a secure handshake.

I set up SSH access to the router but cannot connect from the PC. What could be the reason?

Let’s first check the physical layer. Is the PC’s IP in the same network block as the router’s interface IP? If there’s a switch in between, are the ports ‘up’? If those are fine, the key is to look at the ‘line vty’ settings.
I’ve seen many people forget to enter the ‘transport input ssh’ command. Without it, the virtual terminal lines still listen only for Telnet. Also, you must use ‘login local’ to point to the local user database.
As a final note, after the ‘ip ssh version 2’ command in the simulator, you might need to wait a few seconds for the service to settle. If you get a connection error, make sure the service is running with the ‘show ip ssh’ command.

What happens if I do not set privilege level to 15? Is this trick needed for beginners?

Without privilege level 15, after connecting you would need to type ‘enable’ and enter a special password. That’s extra effort and time. In training simulations, we put the user directly into privileged mode to speed things up.
But if we were building a company network, I would never recommend this. In a real scenario, separating privilege levels is critical. If you give a trainee level 15, they could erase the entire configuration at once.
The whole idea is that whoever knows the username and password becomes the admin directly. This setting gives comfort when practicing in a lab. Once you type ‘conf t’, you are ready.

What is the practical difference between SSH V1 and V2? Will using V1 in Packet Tracer cause problems?

Packet Tracer simulation does not accept errors, but you can still connect with V1. However, do not let that fool you. Version 1’s key exchange mechanism is full of holes. It is almost defenseless against man-in-the-middle attacks.
In V2, however, the Diffie-Hellman key exchange is much stronger. Moreover, thanks to message authentication, you know if a packet has been tampered with on the way. When you type ‘ip ssh version 2’ in the simulator, watch the device logs.
You will see the message ‘SSH 1.99 has been enabled’. That is nothing to worry about. 1.99 means the device listens to both versions but prefers V2. Just so you know, V2 support is complete.

When doing this encrypted jump from router to router, why did I feel like I was connecting to myself again?

Your eyes are not fooling you; that is exactly what happens. If there is no second router in the topology from the article, you are sending a request to your own IP from the command line. It is like the system turning to itself and saying, ‘Hello, I am here.’ In fact, it is the most practical way to test if the protocol works.
Think of it this way: with that command, you open a session on TCP port 22. You occupy a new virtual terminal line on the same device. That is why in the ‘show ssh’ output you see both incoming and outgoing connections separately.
This way, you confirm the configuration’s success without needing another device. This is commonly called a loopback SSH test. It is a smart move to do this test before connecting to a real remote device.

Conclusion

In this article, after examining how to enable SSH, we connected to SSH from the PC to the router and router to the router to verify the connection.

In the actual scenario, to configure SSH on Routers, make sure the IOS image has k9 (crypto).

Also, building a network from the beginning can sometimes be hard, especially if you are new to the program’s screen. To be honest, I picked the wrong cables a few times when I first started.

I suggest you first look at our step-by-step guide on making a simple network with Packet Tracer. Tips on adding devices and connecting cables will help you work much faster.

They'll Thank You for Discovering This Guide!

Ready to do your loved ones a huge favor with just one click? Knowledge grows as it is shared.

Tolga Bagci

PRO

Computer Expert System Networking Virtualization

Hi, I'm Tolga, a computer expert with 20 years of experience. I help fix computer issues with things like hardware, systems, networks, virtualization, servers, and operating systems. Check out my website for helpful info, and feel free to ask me anything. Keep yourself in the loop about the newest technologies!

1240 Articles

4 People Shared Their Experience

  1. Terrific article

  2. Très riche article

  3. Muy bien, me sirvió!!!

  4. Hello!

    Can you please tell me how to connect Macbook terminal to the cisco packet tracer using SSH

Share Your Opinion