15-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 15 Inspection of Database, Directory, and Management Protocols
GTP Inspection
hostname(config-pmap-p)#
b.
Set one or more parameters. You can set the following options; use the
no
form of the command to
disable the option:
•
permit errors
—Allows invalid GTP packets or packets that otherwise would fail parsing and
be dropped.
•
request-queue
max_requests
—Sets the maximum number of GTP requests that will be queued
waiting for a response. The default is 200. When the limit has been reached and a new request
arrives, the request that has been in the queue for the longest time is removed. The Error
Indication, the Version Not Supported and the SGSN Context Acknowledge messages are not
considered as requests and do not enter the request queue to wait for a response.
•
tunnel-limit
max_tunnels
—Sets the maximum number of GTP tunnels allowed to be active on
the ASA. The default is 500. New requests will be dropped once the number of tunnels specified
by this command is reached.
•
timeout
{
gsn
|
pdp-context
|
request
|
signaling
|
tunnel
}
time
—Sets the idle timeout for the
specified service (in hh:mm:ss format). To have no timeout, specify 0 for the number. Enter the
command separately for each timeout.
The
gsn
keyword specifies the period of inactivity after which a GSN will be removed.
The
pdp-context
keyword specifies the maximum period of time allowed before beginning to
receive the PDP context.
The
request
keyword specifies the maximum period of time allowed before beginning to receive
the GTP message.
The
signaling
keyword specifies the period of inactivity after which the GTP signaling will be
removed.
The
tunnel
keyword specifies the period of inactivity after which the GTP tunnel will be torn
down.
Step 5
While still in parameter configuration mode, configure IMSI prefix filtering, if desired.
hostname(config-pmap-p)#
mcc
country_code
mnc
network_code
By default, the security appliance does not check for valid Mobile Country Code (MCC)/Mobile
Network Code (MNC) combinations. If you configure IMSI prefix filtering, the MCC and MNC in the
IMSI of the received packet is compared with the configured MCC/MNC combinations and is dropped
if it does not match.
The Mobile Country Code is a non-zero, three-digit value; add zeros as a prefix for one- or two-digit
values. The Mobile Network Code is a two- or three-digit value.
Add all permitted MCC and MNC combinations. By default, the ASA does not check the validity of
MNC and MCC combinations, so you must verify the validity of the combinations configured. To find
more information about MCC and MNC codes, see the ITU E.212 recommendation,
Identification Plan
for Land Mobile Stations
.
Step 6
While still in parameter configuration mode, configure GSN pooling, if desired.
hostname(config-pmap-p)#
permit response to-object-group
SGSN_name
from-object-group
GSN_pool
When the ASA performs GTP inspection, by default the ASA drops GTP responses from GSNs that were
not specified in the GTP request. This situation occurs when you use load-balancing among a pool of
GSNs to provide efficiency and scalability of GPRS.
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......