Support User Manuals

Cisco Systems ASA5515K9 Network Router User Manual

Open as PDF

of 1994

46-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 46 Configuring Inspection for Management Application Protocols

GTP Inspection

• timeout signaling 0:30:00

• timeout tunnel 0:01:00

• tunnel-limit 500

To create and configure a GTP map, perform the following steps. You can then apply the GTP map when

you enable GTP inspection according to the “Configuring Application Layer Protocol Inspection”

section on page 42-6.

Step 1 Create a GTP inspection policy map, enter the following command:

hostname(config)# policy-map type inspect gtp policy_map_name

hostname(config-pmap)#

Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration

mode.

Step 2 (Optional) To add a description to the policy map, enter the following command:

hostname(config-pmap)# description string

Step 3 To match an Access Point name, enter the following command:

hostname(config-pmap)# match [not] apn regex [regex_name | class regex_class_name]

Step 4 To match a message ID, enter the following command:

hostname(config-pmap)# match [not] message id [message_id | range lower_range upper_range]

Where the message_id is an alphanumeric identifier between 1 and 255. The lower_range is lower range

of message IDs. The upper_range is the upper range of message IDs.

Step 5 To match a message length, enter the following command:

hostname(config-pmap)# match [not] message length min min_length max max_length

Where the min_length and max_length are both between 1 and 65536. The length specified by this

command is the sum of the GTP header and the rest of the message, which is the payload of the UDP

packet.

Step 6 To match the version, enter the following command:

hostname(config-pmap)# match [not] version [version_id | range lower_range upper_range]

Where the version_id is between 0and 255. The lower_range is lower range of versions. The

upper_range is the upper range of versions.

Step 7 To configure parameters that affect the inspection engine, perform the following steps:

a. To enter parameters configuration mode, enter the following command:

hostname(config-pmap)# parameters

hostname(config-pmap-p)#

The mnc network_code argument is a two or three-digit value identifying the network code.

By default, the security appliance does not check for valid MCC/MNC combinations. This command

is used for IMSI Prefix filtering. The MCC and MNC in the IMSI of the received packet is compared

with the MCC/MNC configured with this command and is dropped if it does not match.

previous next