ASA 5505: Adding rules to permit WiFi/VoIP Calling?

Rob Royse · ‎09-19-2014

Greetings,

I have several cell phones with T-Mobile, all of which support routing voice calls via WiFi instead of through cellular. The feature seems to work just fine on the Android phone implementation without modification to firewall rules, but on a phone running Apple iOS 8, it doesn't seem to work at all.

To further test this, I disconnected the iPhone from the WiFi network protected by the ASA-5505 and joined it to a Verizon "MiFi" hotspot device. The iPhone then seemed to be able to make calls over WiFi.

This leads me to the conclusion that there is something very specific about the TCP and UDP ports that the Apple iOS implementation requires, given that it works with a mobile hotspot. My inclination is that it uses some sort of UPNP manipulation to dynamically open the ports it needs and the ASA of course does not permit this. I am still trying to pin down both Apple and T-Mobile support to detail to me which ports I need open, but I did find some references to the services/ports other implementations from T-Mobile requires, and it looks like the following is required:

tcp/5060-5061

udp/40283-59999

udp/4500

udp/500

It also appears I need to permit icmp/unreachable to the TMO2 net range of 208.54.0.1 - 208.54.159.254 as well.

So, I have two questions:

1. What are the statements required to allow the traffic on the above-specified ports and permit the icmp traffic as well?

2. What is the best practice to assign those rules to a range of private IP addresses? In other words, I want to set up a group that these rules apply to so that I can reserve multiple private addresses to assign to the iPhones when they join this network so that I am not manually performing this for additional iPhones? I will configure a static reservation via MAC address on my DHCP server (since an ASA cannot do this... GRRRRR) of 192.168.0.50 through 192.168.0.55 to be assigned to the iPhones so that only these rules apply to that range of addresses on the inside.

Thanks in advance for your assistance,

-Rob

Rob Royse · ‎09-23-2014

Bumping this up... Anyone?

Jouni Forss · ‎09-24-2014

Hi,

So did I understand correctly that you want to allow the listed ports when connections are coming from your LAN to the external networks? Or was there some need to enable connections inbound from the external network to your LAN?

The ACL rules should be simple to add if they are really needed.

If you want to allow traffic to the mentioned ports only for certain source hosts then that portion of the ACL should look something like this.

object-group network IPHONE-LOCAL
description iPhone local IP addresses
network-object host 192.168.0.50
network-object host 192.168.0.51
network-object host 192.168.0.52
network-object host 192.168.0.53
network-object host 192.168.0.54
network-object host 192.168.0.55

object-group service IPHONE-SERVICES
description Protocol-port used by iPhones
service-object tcp range 5060 5061
service-object udp range 40283 59999
service-object udp eq 500
service-object udp 4500

access-list INSIDE-IN remark Allow iPhone Wifi VOIP services
access-list INSIDE-IN permit object-group IPHONE-SERVICES object-group IPHONE-LOCAL any

The above configuration could be done it slightly different format depending what the software level on your ASA is.

In the above configuration naturally the ACL name is made up and you most likely have an existing ACL with different name so you both have to use that ACL name and also add these lines to the top of the ACL. I am not sure if you wanted to block these ports for every other host behind that same interface? If so, then in that case I would consider the fact that blocking these ports would for example block the use of IPsec VPN from any other hosts as UDP/500 and UDP/4500 are used for both VPN negotiations and passing the encapsulated/encrypted traffic.

I would imagine that your ACL already contains a rule that generally allows all traffic so in that case the above rules would not really do anything. They only really have meaning if you are already blocking those ports or dont have a general rule that permits all traffic from internal subnets to the external networks.

With regards to the ICMP return traffic I would suggest the following configurations

Check that you have the proper "inspect" configurations present by using the command

show run policy-map

If the configurations dont include the following then add these

inspect icmp

inspect icmp error

You could also add the following lines to the top of your external interfaces ACL. Again the ACL name is made up and you should probably add the lines to the top of your current ACL.

access-list OUTSIDE-IN remark ICMP return traffic
access-list OUTSIDE-IN permit icmp any any echo-reply
access-list OUTSIDE-IN permit icmp any any time-exceeded
access-list OUTSIDE-IN permit icmp any any unreachable

If there is a doubt that the ASA is blocking some traffic from the internal Wifi hosts I would suggest logging to the ASA with ADSM and filtering the real time log viewer with the source IP address of the host and seeing what the ASA is blocking or if not blocking what is happening to those connections attempts. If needed you could also perform a traffic capture on the ASA itself to see what traffic is coming to the ASA from those hosts (if the logs are not enough as they sometimes are not)

Hope this helps :)

- Jouni

patrickwj · ‎01-18-2019

I know this is an old thread, but I'm currently having this exact problem and I'm wondering if anyone has found a fix?