Configuring A Gtp Inspection Policy Map For Additional Inspection Control - Cisco FirePOWER ASA 5500 series Configuration Manual

GTP Inspection
GTP does not include any inherent security or encryption of user data, but using GTP with the security
appliance helps protect your network against these risks.
The SGSN is logically connected to a GGSN using GTP. GTP allows multiprotocol packets to be
tunneled through the GPRS backbone between GSNs. GTP provides a tunnel control and management
protocol that allows the SGSN to provide GPRS network access for a mobile station by creating,
modifying, and deleting tunnels. GTP uses a tunneling mechanism to provide a service for carrying user
data packets.
Note When using GTP with failover, if a GTP connection is established and the active unit fails before data
is transmitted over the tunnel, the GTP data connection (with a "j" flag set) is not replicated to the
standby unit. This occurs because the active unit does not replicate embryonic connections to the standby
unit.

Configuring a GTP Inspection Policy Map for Additional Inspection Control

If you want to enforce additional parameters on GTP traffic, create and configure a GTP map. If you do
not specify a map with the inspect gtp command, the security appliance uses the default GTP map,
which is preconfigured with the following default values:
•
•
•
•
•
•
•
To create and configure a GTP map, perform the following steps. You can then apply the GTP map when
you enable GTP inspection according to the
Create a GTP inspection policy map, enter the following command:
Step 1
hostname(config)# policy-map type inspect gtp policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
(Optional) To add a description to the policy map, enter the following command:
Step 2
hostname(config-pmap)# description string
To match an Access Point name, enter the following command:
Step 3
hostname(config-pmap)# match [not] apn regex [regex_name | class regex_class_name]
Where the regex_name is the regular expression you created in
the regular expression class map you created in
To match a message ID, enter the following command:
Step 4
hostname(config-pmap)# match [not] message id [message_id | range lower_range upper_range]
Cisco Security Appliance Command Line Configuration Guide
25-32
request-queue 200
timeout gsn 0:30:00
timeout pdp-context 0:30:00
timeout request 0:01:00
timeout signaling 0:30:00
timeout tunnel 0:01:00
tunnel-limit 500
Chapter 25 Configuring Application Layer Protocol Inspection
"Configuring Application Inspection" section on page
Step 1. The class regex_class_name is
Step 2.
25-5.
OL-10088-01