Cisco ASA Series Configuration Manual page 364

GTP Inspection
hostname(config-pmap-p)#
Set one or more parameters. You can set the following options; use the no form of the command to
b.
disable the option:
•
•
•
•
While still in parameter configuration mode, configure IMSI prefix filtering, if desired.
Step 5
hostname(config-pmap-p)# mcc country_code mnc network_code
By default, the security appliance does not check for valid Mobile Country Code (MCC)/Mobile
Network Code (MNC) combinations. If you configure IMSI prefix filtering, the MCC and MNC in the
IMSI of the received packet is compared with the configured MCC/MNC combinations and is dropped
if it does not match.
The Mobile Country Code is a non-zero, three-digit value; add zeros as a prefix for one- or two-digit
values. The Mobile Network Code is a two- or three-digit value.
Add all permitted MCC and MNC combinations. By default, the ASA does not check the validity of
MNC and MCC combinations, so you must verify the validity of the combinations configured. To find
more information about MCC and MNC codes, see the ITU E.212 recommendation, Identification Plan
for Land Mobile Stations.
While still in parameter configuration mode, configure GSN pooling, if desired.
Step 6
hostname(config-pmap-p)# permit response to-object-group SGSN_name
from-object-group GSN_pool
When the ASA performs GTP inspection, by default the ASA drops GTP responses from GSNs that were
not specified in the GTP request. This situation occurs when you use load-balancing among a pool of
GSNs to provide efficiency and scalability of GPRS.
Cisco ASA Series Firewall CLI Configuration Guide
15-8
permit errors—Allows invalid GTP packets or packets that otherwise would fail parsing and
be dropped.
request-queue max_requests—Sets the maximum number of GTP requests that will be queued
waiting for a response. The default is 200. When the limit has been reached and a new request
arrives, the request that has been in the queue for the longest time is removed. The Error
Indication, the Version Not Supported and the SGSN Context Acknowledge messages are not
considered as requests and do not enter the request queue to wait for a response.
tunnel-limit max_tunnels—Sets the maximum number of GTP tunnels allowed to be active on
the ASA. The default is 500. New requests will be dropped once the number of tunnels specified
by this command is reached.
timeout {gsn | pdp-context | request | signaling | tunnel} time—Sets the idle timeout for the
specified service (in hh:mm:ss format). To have no timeout, specify 0 for the number. Enter the
command separately for each timeout.
The gsn keyword specifies the period of inactivity after which a GSN will be removed.
The pdp-context keyword specifies the maximum period of time allowed before beginning to
receive the PDP context.
The request keyword specifies the maximum period of time allowed before beginning to receive
the GTP message.
The signaling keyword specifies the period of inactivity after which the GTP signaling will be
removed.
The tunnel keyword specifies the period of inactivity after which the GTP tunnel will be torn
down.
Chapter 15 Inspection of Database, Directory, and Management Protocols