GTP Inspection
Configure GTP inspection parameters. To do so, use the GTP map configuration mode commands
b.
that you want to enforce. For a list of commands, see
Step 5
Create a policy map or modify an existing policy map that you want to use to apply the GTP inspection
engine to GTP traffic. To do so, use the policy-map command, as follows.
hostname(config-cmap)# policy-map policy_map_name
hostname(config-pmap)#
where policy_map_name is the name of the policy map. The CLI enters the policy map configuration
mode and the prompt changes accordingly.
Specify the class map, created in
Step 6
as follows.
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where class_map_name is the name of the class map you created in
map class configuration mode and the prompt changes accordingly.
Enable GTP application inspection. To do so, use the inspect gtp command, as follows:
Step 7
hostname(config-pmap-c)# inspect gtp [map_name]
hostname(config-pmap-c)#
where map_name is the GTP map that you may have created in optional
Use the service-policy command to apply the policy map globally or to a specific interface, as follows:
Step 8
hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID]
hostname(config)#
where policy_map_name is the policy map you configured in
to traffic on all the interfaces, use the global option. If you want to apply the policy map to traffic on a
specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the
interface with the nameif command.
The FWSM begins inspecting GTP traffic, as specified.
Example 22-6
and apply the policy to the outside interface.
Example 22-6 Enabling and Configuring GTP Inspection
hostname(config)# access-list gtp_acl permit udp any any eq 3386
hostname(config)# access-list gtp_acl permit udp any any eq 2123
hostname(config)# class-map gtp-traffic
hostname(config-cmap)# match access-list gtp_acl
hostname(config-cmap)# gtp-map sample_map
hostname(config-gtp-map)# request-queue 300
hostname(config-gtp-map)# permit mcc 111 mnc 222
hostname(config-gtp-map)# message-length min 20 max 300
hostname(config-gtp-map)# drop message 20
hostname(config-gtp-map)# tunnel-limit 10000
hostname(config)# policy-map sample_policy
hostname(config-pmap)# class gtp-traffic
hostname(config-pmap-c)# inspect gtp sample_map
hostname(config)# service-policy sample_policy outside
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-38
Step
2, that identifies the GTP traffic. Use the class command to do so,
shows how to use access lists to identify GTP traffic, define a GTP map, define a policy,
Chapter 22
Applying Application Layer Protocol Inspection
Table
22-4.
Step
2. The CLI enters the policy
Step
4.
Step
5. If you want to apply the policy map
OL-20748-01