Configuring a GTP Inspection Policy Map for Additional Inspection Control
If you want to enforce additional parameters on GTP traffic, create and configure a GTP map. If you do not specify a map with the
inspect gtp
command, the ASA uses the default GTP map, which is preconfigured with the following default values:
-
request-queue 200
-
timeout gsn 0:30:00
-
timeout pdp-context 0:30:00
-
timeout request 0:01:00
-
timeout signaling 0:30:00
-
timeout tunnel 0:01:00
-
tunnel-limit 500
To create and configure a GTP map, perform the following steps. You can then apply the GTP map when you enable GTP inspection according to the “Configuring Application Layer Protocol Inspection” section.
Step 1 Create a GTP inspection policy map, enter the following command:
ciscoasa(config)# policy-map type inspect gtp policy_map_name
Where the
policy_map_name
is the name of the policy map. The CLI enters policy-map configuration mode.
Step 2 (Optional) To add a description to the policy map, enter the following command:
ciscoasa(config-pmap)# description string
Step 3 To match an Access Point name, enter the following command:
ciscoasa(config-pmap)# match [not] apn regex [regex_name | class regex_class_name]
Step 4 To match a message ID, enter the following command:
ciscoasa(config-pmap)# match [not] message id [message_id | range lower_range upper_range]
Where the
message_id
is an alphanumeric identifier between 1 and 255. The lower_range is lower range of message IDs. The upper_range is the upper range of message IDs.
Step 5 To match a message length, enter the following command:
ciscoasa(config-pmap)# match [not] message length min min_length max max_length
Where the
min_length
and max_length are both between 1 and 65536. The length specified by this command is the sum of the GTP header and the rest of the message, which is the payload of the UDP packet.
Step 6 To match the version, enter the following command:
ciscoasa(config-pmap)# match [not] version [version_id | range lower_range upper_range]
Where the
version_id
is between 0and 255. The lower_range is lower range of versions. The upper_range is the upper range of versions.
Step 7 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
ciscoasa(config-pmap)# parameters
The
mnc
network_code
argument is a two or three-digit value identifying the network code.
By default, the security appliance does not check for valid MCC/MNC combinations. This command is used for IMSI Prefix filtering. The MCC and MNC in the IMSI of the received packet is compared with the MCC/MNC configured with this command and is dropped if it does not match.
This command must be used to enable IMSI Prefix filtering. You can configure multiple instances to specify permitted MCC and MNC combinations. By default, the ASA does not check the validity of MNC and MCC combinations, so you must verify the validity of the combinations configured. To find more information about MCC and MNC codes, see the ITU E.212 recommendation,
Identification Plan for Land Mobile Stations
.
b. To allow invalid GTP packets or packets that otherwise would fail parsing and be dropped, enter the following command:
ciscoasa(config-pmap-p)# permit errors
By default, all invalid packets or packets that failed, during parsing, are dropped.
c. To enable support for GSN pooling, use the
permit response
command.
If the ASA performs GTP inspection, by default the ASA drops GTP responses from GSNs that were not specified in the GTP request. This situation occurs when you use load-balancing among a pool of GSNs to provide efficiency and scalability of GPRS.
You can enable support for GSN pooling by using the
permit response
command. This command configures the ASA to allow responses from any of a designated set of GSNs, regardless of the GSN to which a GTP request was sent. You identify the pool of load-balancing GSNs as a network object. Likewise, you identify the SGSN as a network object. If the GSN responding belongs to the same object group as the GSN that the GTP request was sent to and if the SGSN is in a object group that the responding GSN is permitted to send a GTP response to, the ASA permits the response.
d. To create an object to represent the pool of load-balancing GSNs, perform the following steps:
Use the
object-group
command to define a new network object group representing the pool of load-balancing GSNs.
ciscoasa(config)# object-group network GSN-pool-name ciscoasa(config-network)#
For example, the following command creates an object group named gsnpool32:
ciscoasa(config)# object-group network gsnpool32 ciscoasa(config-network)#
e. Use the
network-object
command to specify the load-balancing GSNs. You can do so with one
network-object
command per GSN, using the
host
keyword. You can also using
network-object
command to identify whole networks containing GSNs that perform load balancing.
ciscoasa(config-network)# network-object host IP-address
For example, the following commands create three network objects representing individual hosts:
ciscoasa(config-network)# network-object host 192.168.100.1 ciscoasa(config-network)# network-object host 192.168.100.2 ciscoasa(config-network)# network-object host 192.168.100.3 ciscoasa(config-network)#
f. To create an object to represent the SGSN that the load-balancing GSNs are permitted to respond to, perform the following steps:
a. Use the
object-group
command to define a new network object group that will represent the SGSN that sends GTP requests to the GSN pool.
ciscoasa(config)# object-group network SGSN-name ciscoasa(config-network)#
For example, the following command creates an object group named sgsn32:
ciscoasa(config)# object-group network sgsn32 ciscoasa(config-network)#
b. Use the
network-object
command with the
host
keyword to identify the SGSN.
ciscoasa(config-network)# network-object host IP-address
For example, the following command creates a network objects representing the SGSN:
ciscoasa(config-network)# network-object host 192.168.50.100 ciscoasa(config-network)#
g. To allow GTP responses from any GSN in the network object representing the GSN pool, defined in c.,
d
, to the network object representing the SGSN, defined in c., f., enter the following commands:
ciscoasa(config)# gtp-map map_name ciscoasa(config-gtp-map)# permit response to-object-group SGSN-name from-object-group GSN-pool-name
For example, the following command permits GTP responses from any host in the object group named gsnpool32 to the host in the object group named sgsn32:
ciscoasa(config-gtp-map)# permit response to-object-group sgsn32 from-object-group gsnpool32
The following example shows how to support GSN pooling by defining network objects for the GSN pool and the SGSN. An entire Class C network is defined as the GSN pool but you can identify multiple individual IP addresses, one per
network-object
command, instead of identifying whole networks. The example then modifies a GTP map to permit responses from the GSN pool to the SGSN.
ciscoasa(config)# object-group network gsnpool32 ciscoasa(config-network)# network-object 192.168.100.0 255.255.255.0 ciscoasa(config)# object-group network sgsn32 ciscoasa(config-network)# network-object host 192.168.50.100 ciscoasa(config)# gtp-map gtp-policy ciscoasa(config-gtp-map)# permit response to-object-group sgsn32 from-object-group gsnpool32
h. To specify the maximum number of GTP requests that will be queued waiting for a response, enter the following command:
ciscoasa(config-gtp-map)# request-queue max_requests
where the
max_requests
argument sets the maximum number of GTP requests that will be queued waiting for a response, from 1 to 4294967295. The default is 200.
When the limit has been reached and a new request arrives, the request that has been in the queue for the longest time is removed. The Error Indication, the Version Not Supported and the SGSN Context Acknowledge messages are not considered as requests and do not enter the request queue to wait for a response.
i. To change the inactivity timers for a GTP session, enter the following command:
ciscoasa(config-gtp-map)# timeout {gsn | pdp-context | request | signaling | tunnel} hh:mm:ss
Enter this command separately for each timeout.
The
gsn
keyword specifies the period of inactivity after which a GSN will be removed.
The
pdp-context
keyword specifies the maximum period of time allowed before beginning to receive the PDP context.
The
request
keyword specifies the maximum period of time allowed before beginning to receive the GTP message.
The
signaling
keyword specifies the period of inactivity after which the GTP signaling will be removed.
The
tunnel
keyword specifies the period of inactivity after which the GTP tunnel will be torn down.
The
hh
:
mm
:
ss
argument is the timeout where
hh
specifies the hour,
mm
specifies the minutes, and
ss
specifies the seconds. The value
0
means never tear down.
j. To specify the maximum number of GTP tunnels allowed to be active on the ASA, enter the following command:
ciscoasa(config-gtp-map)# tunnel-limit max_tunnels
where the
max_tunnels
argument is the maximum number of tunnels allowed, from 1 to 4294967295. The default is 500.
New requests will be dropped once the number of tunnels specified by this command is reached.
The following example shows how to limit the number of tunnels in the network:
ciscoasa(config)# policy-map type inspect gtp gmap ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# tunnel-limit 3000 ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# inspect gtp gmap ciscoasa(config)# service-policy global_policy global