Cisco ASA 5506-X Configuration Manual page 244

GTP Inspection
•
While still in parameter configuration mode, configure IMSI prefix filtering, if desired.
Step 5
hostname(config-pmap-p)# mcc country_code mnc network_code
By default, the security appliance does not check for valid Mobile Country Code (MCC)/Mobile
Network Code (MNC) combinations. If you configure IMSI prefix filtering, the MCC and MNC in the
IMSI of the received packet is compared with the configured MCC/MNC combinations and is dropped
if it does not match.
The Mobile Country Code is a non-zero, three-digit value; add zeros as a prefix for one- or two-digit
values. The Mobile Network Code is a two- or three-digit value.
Add all permitted MCC and MNC combinations. By default, the ASA does not check the validity of
MNC and MCC combinations, so you must verify the validity of the combinations configured. To find
more information about MCC and MNC codes, see the ITU E.212 recommendation, Identification Plan
for Land Mobile Stations.
While still in parameter configuration mode, configure GSN pooling, if desired.
Step 6
hostname(config-pmap-p)# permit response to-object-group SGSN_name
from-object-group GSN_pool
When the ASA performs GTP inspection, by default the ASA drops GTP responses from GSNs that were
not specified in the GTP request. This situation occurs when you use load-balancing among a pool of
GSNs to provide efficiency and scalability of GPRS.
To configure GSN pooling and thus support load balancing, create a network object group that specifies
the GSNs and specify this on the from-object-group parameter. Likewise, create a network object group
for the SGSN and select it as on the to-object-group parameter. If the GSN responding belongs to the
same object group as the GSN that the GTP request was sent to and if the SGSN is in an object group
that the responding GSN is permitted to send a GTP response to, the ASA permits the response.
The network object group can identify the GSN or SGSN by host address or by the subnet that contains
them.
Example
The following example shows how to support GSN pooling by defining network objects for the GSN
pool and the SGSN. An entire Class C network is defined as the GSN pool but you can identify multiple
individual IP addresses, one per network-object command, instead of identifying whole networks. The
example then modifies a GTP inspection map to permit responses from the GSN pool to the SGSN.
hostname(config)# object-group network gsnpool32
hostname(config-network)# network-object 192.168.100.0 255.255.255.0
hostname(config)# object-group network sgsn32
hostname(config-network)# network-object host 192.168.50.100
Cisco ASA Series Firewall CLI Configuration Guide
10-8
timeout {gsn | pdp-context | request | signaling | tunnel} time—Sets the idle timeout for the
specified service (in hh:mm:ss format). To have no timeout, specify 0 for the number. Enter the
command separately for each timeout.
The gsn keyword specifies the period of inactivity after which a GSN will be removed.
The pdp-context keyword specifies the maximum period of time allowed before beginning to
receive the PDP context.
The request keyword specifies the maximum period of time allowed before beginning to receive
the GTP message.
The signaling keyword specifies the period of inactivity after which the GTP signaling will be
removed.
The tunnel keyword specifies the period of inactivity after which the GTP tunnel will be torn
down.
Chapter 10 Inspection for Management Application Protocols