Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 1 IT NE 2006 Implementing Firewall Technologies LAB 4 WEEK - 6 CONTENTSIT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 2 Week 6 Implementing Firewall Technologies Objective: Configuring Zone-Based Policy Firewalls Note: ISR G1 devices have Fast Ethernet interfaces instead of Gigabit Ethernet Interfaces.IT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 3 Addressing Table In this lab, you will perform the following tasks: Part 1: Configure Basic Device Settings • Configure basic settings such as host name, interface IP addresses, and access passwords. • Configure static routing to enable end-to-end connectivity. Part 2: Configuring a Zone-Based Policy Firewall (ZPF) • Use the CLI to configure a Zone-Based Policy Firewall. • Use the CLI to verify the configuration. BACKGROUND The most basic form of a Cisco IOS firewall uses access control lists (ACLs) to filter IP traffic and monitorest ablished traffic patterns. A traditional Cisco IOS firewall is an ACL-based firewall. The newer Cisco IOS Firewall implementation uses a zone-based approach that operates as a function of interfaces instead of access control lists. A Zone-Based Policy Firewall (ZPF) allows different inspection policies to be applied to multiple host groups connected to the same router interface. It can be configured for extremely advanced, protocol specific, granular control. It prohibits traffic via a default deny-all policy between different firewall zones. ZPF is suited for multiple interfaces that have similar or varying security requirements. In this lab, you build a multi-router network, configure the routers and PC hosts, and configure a Zone-Based Policy Firewall using the Cisco IOS command line interface (CLI).IT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 4 Note: The router commands and output in this lab are from a Cisco 1941 with Cisco IOS Release 15.4(3)M2 (UniversalK9-M). Other routers and Cisco IOS versions can be used. See the Router Interface Summary Table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. Depending on the router model and Cisco IOS version, the commands available and output produced might vary from what is shown in this lab. Note: Before beginning, ensure that the routers and switches have been erased and have no startup configurations. Task 1: Configure Basic Device Settings The desktop system assigned to you serves as an end-user terminal. You access and manage the lab environment from the student desktop system using GNS3 Software. Students should perform the steps in this task individually. In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP addresses, static routing, device access, and passwords. All steps should be performed on routers R1-S0000 and R3-S0000. The procedures are shown for only one of the routers.IT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 5 The procedure for R1 is shown here as an example. Step 1: Deploy router in GNS3 network. Attach the devices, as shown in the topology diagram, and connection as necessary. Step 2: Configure basic settings for each router. a. Configure host names as shown in the topology plus your student ID. b. Configure interface IP addresses as shown in the IP Addressing Table. R1 Config R1-S0000#conf t Enter configuration commands, one per line. End with CNTL/Z. R1-S0000(config)#interface f0/1 R1-S0000(config-if)#ip address 192.168.1.1 255.255.255.0 R1-S0000(config-if)#no shutdown R1-S0000(config-if)#exit R1-S0000(config)#interface s0/0 R1-S0000(config-if)#ip address 10.1.1.1 255.255.255.252 R1-S0000(config-if)#no shutdown R1-S0000(config-if)#exit R1-S0000(config)#exit R1-S0000#copy running-config startup-config Destination filename [startup-config]? R3 Config R3-S0000#conf t Enter configuration commands, one per line. End with CNTL/Z. R3-S0000(config)#interface f0/1 R3-S0000(config-if)#ip address 192.168.3.1 255.255.255.0 R3-S0000(config-if)#no shutdown R3-S0000(config-if)#exit R3-S0000(config)#interface f0/0 R3-S0000(config-if)#ip address 192.168.33.1 255.255.255.0 R3-S0000(config-if)#no shutdown R3-S0000(config-if)#exit R3-S0000(config)#interface s0/1 R3-S0000(config-if)#ip address 10.2.2.1 255.255.255.252 R3-S0000(config-if)#no shutdown R3-S0000(config-if)#exit R3-S0000(config)#exit R3-S0000#copy running-config startup-config Destination filename [startup-config]? R2 Config R2-S0000#conf t Enter configuration commands, one per line. End with CNTL/Z. R2-S0000(config)#interface s0/0 R2-S0000(config-if)#ip address 10.1.1.2 255.255.255.252 R2-S0000(config-if)#no shutdown R2-S0000(config-if)#exit R2-S0000(config)#interface s0/1IT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 6 R2-S0000(config-if)#ip address 10.2.2.2 255.255.255.252 R2-S0000(config-if)#no shutdown R2-S0000(config-if)#exit R2-S0000(config)#exit R2-S0000#copy running-config startup-config Destination filename [startup-config]? c. Configure a clock rate for routers with a DCE serial cable attached to their serial interface. R1-STUDENTID is shown here as an example. R1-S0000# Conf t R1-S0000(config)# interface S0/0 R1-S0000(config-if)# clock rate 64000 R1-S0000# Exit R1-S0000# Exit R3: R3-S000 # Conf t R3-S0000(config)# interface S0/1 R3-S0000(config-if)# clock rate 64000 R1-S0000# Exit R1-S0000# Exit R2: R2-S000 # Conf t R2-S0000(config)# interface S0/0 R2-S0000(config-if)# clock rate 64000 R2-S0000(config-if)# exit R1-S0000(config)# interface S0/1 R1-S0000(config-if)# clock rate 64000 R1-S0000# Exit d. To prevent the router from attempting to translate incorrectly entered commands as though they were host names, disable DNS lookup. R1-STUDENTID is shown here as an example. R1-STUDENTID(config)# no ip domain-lookup R2-STUDENTID(config)# no ip domain-lookupIT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 7 R3-STUDENTID(config)# no ip domain-lookup Step 3: Configure static routing on the routers. a. Configure a static default route from R1 to R2 and from R3 to R2. R1: R1-S0000#conf t Enter configuration commands, one per line. End with CNTL/Z. R1-S0000(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2 R1-S0000(config)#end R3: R3-S0000#conf t Enter configuration commands, one per line. End with CNTL/Z. R3-S0000(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2 R3-S0000(config)#end b. Configure a static route from R2 to the R1 LAN and from R2 to the R3 LAN. R2: R2-S0000#conf t Enter configuration commands, one per line. End with CNTL/Z. R2-S0000(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1 R2-S0000(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1 R2-S0000(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1 R2-S0000(config)#end Step 4: Configure PC host IP settings. Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C, as shown in the IP addressing table. Deploy VPCS A: Connect Switch Port 8 to R1 f0/1 Deploy VPCS A: Connect Switch Port 8 to R3 f0/1 PC-A> ip 192.168.1.2/24 192.168.1.1IT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 8 PC-A> Save Deploy VPCS B: Connect to R3 f0/1 PC-B> ip 192.168.3.2/24 192.168.3.1 PC-B> Save Deploy VPCS B: Connect to R3 f0/1 PC-C> ip 192.168.33.3/24 192.168.33.1 PC-C> Save Step 5: Verify connectivity between PC-A and R3. a. Ping from R1 to R3. If the pings are not successful, troubleshoot the basic device configurations before continuing. b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN. If the pings are not successful, troubleshoot the basic device configurations before continuing. Note: If you can ping from PC-A to PC-C, you have demonstrated that static routing is configured and functioning correctly. If you cannot ping but the device interfaces are up and IP addresses are correct, use the show run and show ip route commands to help identify routing protocol-related problems. Step 6: Save the basic running configuration for each router. Step 7: Configure a user account, encrypted passwords and crypto keys for SSH. Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the benefit of performing the lab. More complex passwords are recommended in a production network. For this step, configure the same settings for R1-S0000 and R3. Router R1-S0000 is shown here as an example. a. Configure a minimum password length. Use the security passwords command to set a minimum password length of 10 characters. R1-S0000(config)# security passwords min-length 10 R3-S0000(config)# security passwords min-length 10 b. Configure a domain name. R1-S0000(config)# ip domain-name ccnasecurity.com R3-S0000(config)# ip domain-name ccnasecurity.com c. Configure crypto keys for SSH R1-S0000(config)# crypto key generate rsa general-keys modulus 1024 R3-S0000(config)# crypto key generate rsa general-keys modulus 1024 d. Configure the enable secret password on both routers. Use the type 9 (SCRYPT) hashing algorithm.IT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 9 R1-S0000(config)# enable secret cisco12345 R3-S0000(config)# enable secret cisco12345 e. Configure line console 0 to use the local user database for logins. For additional security, the exectimeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous command prevents console messages from interrupting command entry. Note: To avoid repetitive logins during this lab, the exec timeout can be set to 0 0, which prevents it from expiring. However, this is not considered a good security practice. R1-S0000(config)# line console 0 R1-S0000(config-line)# login local R1-S0000(config-line)# exec-timeout 5 0 R1-S0000(config-line)# logging synchronous R3-S0000# exit b. Configure a password for the aux port for router R1. R1-S0000(config)# line aux 0 R1-S0000(config-line)# login local R1-S0000(config-line)# exec-timeout 5 0 R1-S0000(config-line)# exit c. Configure the password on the vty lines for router R1. R1-S0000(config)# line vty 0 4 R1-S0000(config-line)# login local R1-S0000(config-line)# transport input ssh R1-S0000(config-line)# exec-timeout 5 0 R1-S0000(config-line)# exit d. Encrypt the console, aux, and vty passwords. R1-S0000(config)# enable algorithm-type scrypt secret class12345 R1-S0000(config)# exit Step 8: Save the basic configurations on all routers. Save the running configuration to the startup configuration from the privileged EXEC prompt. R1-S0000# copy running-config startup-config R3-S0000# copy running-config startup-config R2-S0000# copy running-config startup-configIT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 10 Part 2: Configuring a Zone-Based Policy Firewall (ZPF) In Part 2 of this lab, you configure a zone-based policy firewall (ZPF) on R3 using the command line interface (CLI). Task 1: Verify Current Router Configurations. In this task, you will verify end-to-end network connectivity before implementing ZPF. Step 1: Verify end-to-end network connectivity. a. Ping from R1 to R3 Using both of R3’s FastEthernet interface IP addresses. If the pings are not successful, troubleshoot the basic device configurations before continuing. b. Ping from PC-A on the R1 LAN to PC-C on the R3 conference room LAN. If the pings are not successful, troubleshoot the basic device configurations before continuing. c. Ping from PC-A on the R1 LAN to PC-B on the R3 internal LAN. If the pings are not successful, troubleshoot the basic device configurations before continuing. Step 2: Display the R3 running configurations. a. Issue the show ip interface brief command on R3 to verify the correct IP addresses were assigned. Use the IP Address Table to verify the addresses. b. Issue the show ip route command on R3 to verify it has a static default route pointing to R2’s serial 0/1 interface. c. Issue the show run command to review the current basic configuration on R3. d. Verify the R3 basic configuration as performed in Part 1 of the lab. Are there any security commands related to access control? ____________________________________________________________________________________ Task 2: Create a Zone-Based Policy Firewall In this task, you will create a zone-based policy firewall on R3, making it act not only as a router but also as afirewall. R3 is currently responsible for routing packets for the three networks connected to it. R3’s interface roles are configured as follows: Serial 0/1 is connected to the Internet. Because this is a public network, it is considered an untrusted network and should have the lowest security level. F0/1 is connected to the internal network. Only authorized users have access to this network. In addition, vital institution resources also reside in this network. The internal network is to be considered a trusted network and should have the highest security level. F0/0 is connected to a conference room. The conference room is used to host meetings with people who are not part of the organization.IT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 11 The security policy to be enforced by R3 when it is acting as a firewall dictates that: • No traffic initiated from the Internet should be allowed into the internal or conference room networks. • Returning Internet traffic (return packets coming from the Internet into the R3 site, in response to requests originating from any of the R3 networks) should be allowed. • Computers in the R3 internal network are considered trusted and are allowed to initiate any type traffic (TCP, UDP or ICMP based traffic). • Computers in the R3 conference room network are considered untrusted and are allowed to initiate only web traffic (HTTP or HTTPS) to the Internet. • No traffic is allowed between the internal network and the conference room network. There is no guarantee regarding the condition of guest computers in the conference room network. Such machines could be infected with malware and might attempt to send out spam or other malicious traffic. Step 1: Creating the security zones. A security zone is a group of interfaces with similar security properties and requirements. For example, if a router has three interfaces connected to internal networks, all three interfaces can be placed under the same zone named “internal”. Because all security properties are configured to the zone instead of to the individual router interfaces, the firewall design is much more scalable. In this lab, the R3 site has three interfaces; one connected to an internal trusted network, one connected to the conference room network and another connected to the Internet. Because all three networks have different security requirements and properties, we will create three different security zones. a. Security zones are created in global configuration mode, and the command allows for zone name definition. In R3, create three zones named INSIDE, CONFROOM and INTERNET: R3-S0000(config)# zone security INSIDE R3-S0000(config)# zone security CONFROOM R3-S0000(config)# zone security INTERNET Step 2: Creating Security Policies Before ZPF can decide if some specific traffic should be allowed or denied, it must be told what traffic is to be considered. Cisco IOS uses class-maps to select traffic. Interesting traffic is a common denomination for traffic that has been selected by a class-map. While class-maps select traffic, it is not their job to decide what happens to the selected traffic; Policymaps decide the fate of the selected traffic.IT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 12 ZPF traffic policies are defined as policy-maps and use class-maps to select traffic. In other words, classmaps define what traffic is to be policed while policy-maps define the action to be taken upon the selected traffic. Policy-maps can drop, pass or inspect traffic. Because we want the firewall to watch traffic moving in the direction of zone-pairs, we will create inspect policy-maps. Inspect policy-maps allow for dynamic handling of the return traffic. First, you will create class-maps. After the class-maps are created, you will create policy-maps and attach the class-maps to the policy-maps. a. Create an inspect class-map to match traffic to be allowed from the INSIDE zone to the INTERNET zone. Because we trust the INSIDE zone, we allow all the main protocols. In the commands below, the first line creates an inspect class-map. The match-any keyword instructs the router that any of the match protocol statements will qualify as a successful match resulting in a policy being applied. The result is a match for TCP or UDP or ICMP packets. The match commands refer to specific Cisco NBAR supported protocols. For more information on Cisco NBAR visit Cisco Network-Based Application Recognition. R3-S0000(config)# class-map type inspect match-any INSIDE_PROTOCOLS R3-S0000(config-cmap)# match protocol tcp R3-S0000(config-cmap)# match protocol udp R3-S0000(config-cmap)# match protocol icmp b. Similarly, create a class-map to match the traffic to be allowed from the CONFROOM zone to the INTERNET zone. Because we do not fully trust the CONFROOM zone, we must limit what the server can send out to the Internet: R3-S0000(config)# class-map type inspect match-any CONFROOM_PROTOCOLS R3-S0000(config-cmap)# match protocol http R3-S0000(config-cmap)# match protocol https R3-S0000(config-cmap)# match protocol dns c. Now that the class-maps are created, you can create the policy-maps. In the commands below, the first line creates an inspect policy-map named INSIDE_TO_INTERNET. The second line binds the previously created INSIDE_PROTOCOLS class-map to the policy-map. All packets matched by the INSIDE_PROTOCOLS class-map will be subjected to the action taken by theIT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 13 INSIDE_TO_INTERNET policy-map. Finally, the third line defines the actual action this policy-map will apply to the matched packets. In this case, the matched packets will be inspected. The next three lines creates a similar policy-map named CONFROOM_TO_INTERNET and attaches the CONFROOM_PROTOCOLS class-map. The commands are as follows: R3-S0000(config)# policy-map type inspect INSIDE_TO_INTERNET R3-S0000(config-pmap)# class type inspect INSIDE_PROTOCOLS R3-S0000(config-pmap-c)# inspect R3-S0000(config)# policy-map type inspect CONFROOM_TO_INTERNET R3-S0000(config-pmap)# class type inspect CONFROOM_PROTOCOLS R3-S0000(config-pmap-c)# inspect Step 3: Create the Zone Pairs A zone pair allows you to specify a unidirectional firewall policy between two security zones. For example, a commonly used security policy dictates that the internal network can initiate any traffic towards the Internet but no traffic originating from the Internet should be allowed to reach the internal network. This traffic policy requires only one zone pair, INTERNAL to INTERNET. Because zone-pairs define unidirectional traffic flow, another zone-pair must be created if Internet-initiated traffic must flow in the INTERNET to INTERNAL direction. Notice that Cisco ZPF can be configured to inspect traffic that moves in the direction defined by the zone pair. In that situation, the firewall watches the traffic and dynamically creates rules allowing the return or related traffic to flow back through the router. To define a zone pair, use the zone-pair security command. The direction of the traffic is specified by the source and destination zones. For this lab, you will create two zone-pairs: INSIDE_TO_INTERNET: Allows traffic leaving the internal network towards the Internet. CONFROOM_TO_INTERNET: Allows Internet access from the ConfRoom network. a. Creating the zone-pairs: R3-S0000(config)# zone-pair security INSIDE_TO_INTERNET source INSIDE destination INTERNETIT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 14 R3-S0000(config)# zone-pair security CONFROOM_TO_INTERNET source CONFROOM destination INTERNET b. Verify the zone-pairs were correctly created by issuing the show zone-pair security command. Notice that no policies are associated with the zone-pairs yet. The security policies will be applied to zone-pairs in the next step. R3-S0000# show zone-pair security Copy and paste the output below ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ Step 4: Applying Security Policies a. As the last configuration step, apply the policy-maps to the zone-pairs: R3-S0000(config)# zone-pair security INSIDE_TO_INTERNET R3-S0000(config-sec-zone-pair)# service-policy type inspect INSIDE_TO_INTERNET R3-S0000(config)# zone-pair security CONFROOM_TO_INTERNET R3-S0000(config-sec-zone-pair)# service-policy type inspect CONFROOM_TO_INTERNET b. Issue the show zone-pair security command once again to verify the zone-pair configuration. Notice that the service-polices are now displayed: R3-S0000#show zone-pair security Zone-pair name INSIDE_TO_INTERNET Source-Zone INSIDE Destination-Zone INTERNET service-policy INSIDE_TO_INTERNET Zone-pair name CONFROOM_TO_INTERNET Source-Zone CONFROOM Destination-Zone INTERNET service-policy CONFROOM_TO_INTERNETIT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 15 To obtain more information about the zone-pairs, their policy-maps, the class-maps and match counters, use the show policy-map type inspect zone-pair command: R3-S0000#show policy-map type inspect zone-pair Copy and paste the output below ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ Step 5: Assign Interfaces to the Proper Security Zones Interfaces (physical and logical) are assigned to security zones with the zone-member security interface command. a. Assign R3’s f0/0 to the CONFROOM security zone: R3-S0000(config)# interface f0/0 R3-S0000(config-if)# zone-member security CONFROOM b. Assign R3’s f0/1 to the INSIDE security zone: R3-S0000(config)# interface f0/1 R3-S0000(config-if)# zone-member security INSIDE c. Assign R3’s S0/1 to the INTERNET security zone: R3-S0000(config)# interface s0/1 R3-S0000(config-if)# zone-member security INTERNET Step 6: Verify Zone Assignment a. Issue the show zone security command to ensure the zones were properly created, and the interfaces were correctly assigned: R3-S0000# show zone security zone self Description: System defined zone zone CONFROOMIT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 16 Member Interfaces: GigEthernet0/0 zone INSIDE Member Interfaces: GigEthernet0/1 zone INTERNET Member Interfaces: Serial0/0/1 b. Even though no commands were issued to create a “self” zone, the output above still displays it. Why is R3 displaying a zone named “self”? What is the significance of this zone? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ Part 3: ZPF Verification Task 1: Verify ZPF Firewall Functionality Step 1: Traffic originating on the Internet a. To test the firewall’s effectiveness, ping PC-B from PC-A. In PC-A, open a command prompt and issue: PC-A> ping 192.168.3.3 Was the ping successful? Explain. _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________IT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 17 b. Ping PC-C from PC-A. In PC-A, open a command window and issue PC-A> ping 192.168.33.3 Was the ping successful? Explain. _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ c. Ping PC-A from PC-B. In PC-B, open a command window and issue PC-B> ping 192.168.1.3 d. Was the ping successful? Explain. _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ f. Ping PC-A from PC-C. In PC-C, open a command window and issue PC-C> ping 192.168.1.3 g. Was the ping successful? Explain. _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________ Step 2: The Self Zone Verification a. From PC-A ping R3’s G0/1 interface:IT NE 2005 Assessments Copyright © 2016 VIT, All Rights Reserved. VIT and its logo are trademarks of Victorian Institute of Technolog 18 PC-A> ping 192.168.3.1 Was the ping successful? Is this the correct behavior? Explain. ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ b. From PC-C ping R3’s G0/1 interface: PC-C> ping 192.168.3.1 Was the ping successful? Is this the correct behavior? Explain. ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ Save running configuration on all routers Challenge (optional) Create the proper zone-pair, class-maps, and policy-maps and configure R3 to prevent Internet originating traffic from reaching the Self Zone.