topic Re: Route outgoing gmail application received on specific internal interface out different Public IP in General Topics

Route outgoing gmail application received on specific internal interface out different Public IP

Retired Member — Thu, 17 Jul 2014 21:01:39 GMT

I'm trying to figure out the best and easiest way to route all gmail application (gmail-base and gmail-enterprise primarily) that enters on an internal port from one network and send it out using a separate pubic IP we have. Currently all internet based outbound traffic goes out a using a single IP and we are having an issue with that IP getting MX blacklisted by Barracuda. I am suspecting that this internal network port is where the "promotional material" is being sent out and since we have several networks all using the same public IP for outbound general internet, they are all affected by this. So I have the gmail web IP blocks identified that I would like to use either NAT and/or PBF to take all traffic received on that internal network interface and send it out using a separate public IP we have so when they abuse the limits that Barracuda sets for identifying spam sources, it only affects their internal network. Since the gmail application can't be used in a PBF, I'm struggling to find another way other than sending all their outbound internet traffic out a separate IP which would require more setup. Unfortunately, they are in the same Zone as all our internal networks connected to the PA also. Is there anything I can do easily or will I have to look at separating out the Zones also?

Thanks

Re: Route outgoing gmail application received on specific internal interface out different Public IP

mivaldi — Fri, 18 Jul 2014 21:28:16 GMT

You can use PBF using a Dynamic Address Object.

Check Google IP address ranges

You can then set up a cron task to push Google IP addresses to the Dynamic Address object.

Refer to How to Add an IP Address to a Dynamic Address Group using API

You could alternatively leverage information to create an EBL from radb.net and shadowserver.org as follows:

mivaldi$ ping www.google.com

PING www.google.com (74.125.239.49😞 56 data bytes

64 bytes from 74.125.239.49: icmp_seq=0 ttl=54 time=2.506 ms

--- www.google.com ping statistics ---

1 packets transmitted, 1 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 2.506/2.506/2.506/0.000 ms

mivaldi$ whois -h asn.shadowserver.org "origin 74.125.239.49"

15169 | 74.125.239.0/24 | GOOGLE | US | google.com | Google Inc.

mivaldi$ whois -h whois.radb.net -- '-i origin AS15169' | grep ^route

route: 66.249.64.0/20

route: 66.249.80.0/20

route: 194.110.194.0/24

route: 74.125.57.240/29

route: 193.142.125.0/24

route: 193.186.4.0/24

route: 193.200.222.0/24

route: 216.239.44.0/24

route: 216.239.45.0/24

All known google AS15169 IP's

Re: Route outgoing gmail application received on specific internal interface out different Public IP

Retired Member — Fri, 18 Jul 2014 21:44:12 GMT

Thanks that is good knowledge to have, but my bigger issue is trying to send just traffic received on an internal port ethernet1/105 and NAT it out a separate public IP in our block. I want to leave the other Internal networks connected to different physical ports to continue to use the primary outbound internet NAT rule for all traffic. We're getting the primary public IP which is what all outbound internet connections use blacklisted and I suspect it is the hosts I have on this internal interface ethernet1/105 that is causing it. Does that make sense? I already have the gmail ranges identified statically assigned to an address group, but will look at doing it dynamically too. Thanks

Re: Route outgoing gmail application received on specific internal interface out different Public IP

mivaldi — Fri, 18 Jul 2014 21:59:10 GMT

What about a PBF like this (Interfaces and Next Hop will be different for you).

Following the sequence of events, NAT is evaluated (before PBF, to determine Destination Zone for Security Policies), then PBF is implemented, then NAT is implemented.

Therefore next step is to do NAT based on the Destination Address object for GMail: