ASA 5505: Adding rules to permit WiFi/VoIP Calling?
I have several cell phones with T-Mobile, all of which support routing voice calls via WiFi instead of through cellular. The feature seems to work just fine on the Android phone implementation without modification to firewall rules, but on a phone running Apple iOS 8, it doesn't seem to work at all.
To further test this, I disconnected the iPhone from the WiFi network protected by the ASA-5505 and joined it to a Verizon "MiFi" hotspot device. The iPhone then seemed to be able to make calls over WiFi.
This leads me to the conclusion that there is something very specific about the TCP and UDP ports that the Apple iOS implementation requires, given that it works with a mobile hotspot. My inclination is that it uses some sort of UPNP manipulation to dynamically open the ports it needs and the ASA of course does not permit this. I am still trying to pin down both Apple and T-Mobile support to detail to me which ports I need open, but I did find some references to the services/ports other implementations from T-Mobile requires, and it looks like the following is required:
It also appears I need to permit icmp/unreachable to the TMO2 net range of 184.108.40.206 - 220.127.116.11 as well.
So, I have two questions:
1. What are the statements required to allow the traffic on the above-specified ports and permit the icmp traffic as well?
2. What is the best practice to assign those rules to a range of private IP addresses? In other words, I want to set up a group that these rules apply to so that I can reserve multiple private addresses to assign to the iPhones when they join this network so that I am not manually performing this for additional iPhones? I will configure a static reservation via MAC address on my DHCP server (since an ASA cannot do this... GRRRRR) of 192.168.0.50 through 192.168.0.55 to be assigned to the iPhones so that only these rules apply to that range of addresses on the inside.
So did I understand correctly that you want to allow the listed ports when connections are coming from your LAN to the external networks? Or was there some need to enable connections inbound from the external network to your LAN?
The ACL rules should be simple to add if they are really needed.
If you want to allow traffic to the mentioned ports only for certain source hosts then that portion of the ACL should look something like this.
object-group service IPHONE-SERVICES description Protocol-port used by iPhones service-object tcp range 5060 5061 service-object udp range 40283 59999 service-object udp eq 500 service-object udp 4500
access-list INSIDE-IN remark Allow iPhone Wifi VOIP services access-list INSIDE-IN permit object-group IPHONE-SERVICES object-group IPHONE-LOCAL any
The above configuration could be done it slightly different format depending what the software level on your ASA is.
In the above configuration naturally the ACL name is made up and you most likely have an existing ACL with different name so you both have to use that ACL name and also add these lines to the top of the ACL. I am not sure if you wanted to block these ports for every other host behind that same interface? If so, then in that case I would consider the fact that blocking these ports would for example block the use of IPsec VPN from any other hosts as UDP/500 and UDP/4500 are used for both VPN negotiations and passing the encapsulated/encrypted traffic.
I would imagine that your ACL already contains a rule that generally allows all traffic so in that case the above rules would not really do anything. They only really have meaning if you are already blocking those ports or dont have a general rule that permits all traffic from internal subnets to the external networks.
With regards to the ICMP return traffic I would suggest the following configurations
Check that you have the proper "inspect" configurations present by using the command
show run policy-map
If the configurations dont include the following then add these
inspect icmp error
You could also add the following lines to the top of your external interfaces ACL. Again the ACL name is made up and you should probably add the lines to the top of your current ACL.
access-list OUTSIDE-IN remark ICMP return traffic access-list OUTSIDE-IN permit icmp any any echo-reply access-list OUTSIDE-IN permit icmp any any time-exceeded access-list OUTSIDE-IN permit icmp any any unreachable
If there is a doubt that the ASA is blocking some traffic from the internal Wifi hosts I would suggest logging to the ASA with ADSM and filtering the real time log viewer with the source IP address of the host and seeing what the ASA is blocking or if not blocking what is happening to those connections attempts. If needed you could also perform a traffic capture on the ASA itself to see what traffic is coming to the ASA from those hosts (if the logs are not enough as they sometimes are not)
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...