Cisco PIX 500 Series Configuration Manual page 497

Chapter 25 Configuring Application Layer Protocol Inspection
timeout signaling 0:30:00
•
timeout tunnel 0:01:00
•
tunnel-limit 500
•
To create and configure a GTP map, perform the following steps. You can then apply the GTP map when
you enable GTP inspection according to the
Create a GTP inspection policy map, enter the following command:
Step 1
hostname(config)# policy-map type inspect gtp policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 2 (Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
Step 3 To match an Access Point name, enter the following command:
hostname(config-pmap)# match [not] apn regex [ regex_name | class regex_class_name ]
Where the regex_name is the regular expression you created in
the regular expression class map you created in
To match a message ID, enter the following command:
Step 4
hostname(config-pmap)# match [not] message id [ message_id | range lower_range upper_range ]
Where the message_id is an alphanumeric identifier between 1 and 255. The lower_range is lower range
of message IDs. The upper_range is the upper range of message IDs.
To match a message length, enter the following command:
Step 5
hostname(config-pmap)# match [not] message length min min_length max max_length
Where the min_length and max_length are both between 1 and 65536. The length specified by this
command is the sum of the GTP header and the rest of the message, which is the payload of the UDP
packet.
To match the version, enter the following command:
Step 6
hostname(config-pmap)# match [not] version [ version_id | range lower_range upper_range ]
Where the version_id is between 0and 255. The lower_range is lower range of versions. The
upper_range is the upper range of versions.
To configure parameters that affect the inspection engine, perform the following steps:
Step 7
To enter parameters configuration mode, enter the following command:
a.
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
The mnc network_code argument is a two or three-digit value identifying the network code.
By default, the security appliance does not check for valid MCC/MNC combinations. This command
is used for IMSI Prefix filtering. The MCC and MNC in the IMSI of the received packet is compared
with the MCC/MNC configured with this command and is dropped if it does not match.
OL-12172-03
"Configuring Application Inspection" section on page
Step
Step 2.
Cisco Security Appliance Command Line Configuration Guide
GTP Inspection
1. The class regex_class_name is
25-5.
25-33