Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Route outgoing gmail application received on specific internal interface out different Public IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Route outgoing gmail application received on specific internal interface out different Public IP

L1 Bithead

I'm trying to figure out the best and easiest way to route all gmail application (gmail-base and gmail-enterprise primarily) that enters on an internal port from one network and send it out using a separate pubic IP we have. Currently all internet based outbound traffic goes out a using a single IP and we are having an issue with that IP getting MX blacklisted by Barracuda. I am suspecting that this internal network port is where the "promotional material" is being sent out and since we have several networks all using the same public IP for outbound general internet, they are all affected by this. So I have the gmail web IP blocks identified that I would like to use either NAT and/or PBF to take all traffic received on that internal network interface and send it out using a separate public IP we have so when they abuse the limits that Barracuda sets for identifying spam sources, it only affects their internal network. Since the gmail application can't be used in a PBF, I'm struggling to find another way other than sending all their outbound internet traffic out a separate IP which would require more setup. Unfortunately, they are in the same Zone as all our internal networks connected to the PA also. Is there anything I can do easily or will I have to look at separating out the Zones also?

Thanks

3 REPLIES 3

L7 Applicator

You can use PBF using a Dynamic Address Object.

Check Google IP address ranges

You can then set up a cron task to push Google IP addresses to the Dynamic Address object.

Refer to How to Add an IP Address to a Dynamic Address Group using API

You could alternatively leverage information to create an EBL from radb.net and shadowserver.org as follows:

mivaldi$ ping www.google.com

PING www.google.com (74.125.239.49😞 56 data bytes

64 bytes from 74.125.239.49: icmp_seq=0 ttl=54 time=2.506 ms

^C

--- www.google.com ping statistics ---

1 packets transmitted, 1 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 2.506/2.506/2.506/0.000 ms

mivaldi$ whois -h asn.shadowserver.org "origin 74.125.239.49"

15169 | 74.125.239.0/24 | GOOGLE | US | google.com | Google Inc.

mivaldi$ whois -h whois.radb.net -- '-i origin AS15169' | grep ^route

route:      66.249.64.0/20

route:      66.249.80.0/20

route:      194.110.194.0/24

route:      74.125.57.240/29

route:      193.142.125.0/24

route:      193.186.4.0/24

route:      193.200.222.0/24

route:      216.239.44.0/24

route:      216.239.45.0/24

.

.

.

All known google AS15169 IP's

Thanks that is good knowledge to have, but my bigger issue is trying to send just traffic received on an internal port ethernet1/105 and NAT it out a separate public IP in our block. I want to leave the other Internal networks connected to different physical ports to continue to use the primary outbound internet NAT rule for all traffic. We're getting the primary public IP which is what all outbound internet connections use blacklisted and I suspect it is the hosts I have on this internal interface ethernet1/105 that is causing it.  Does that make sense? I already have the gmail ranges identified statically assigned to an address group, but will look at doing it dynamically too. Thanks

What about a PBF like this (Interfaces and Next Hop will be different for you).

Screen Shot 2014-07-18 at 2.56.14 PM.png

Screen Shot 2014-07-18 at 2.56.20 PM.png

Screen Shot 2014-07-18 at 2.57.54 PM.png

Screen Shot 2014-07-18 at 2.58.18 PM.png

Following the sequence of events, NAT is evaluated (before PBF, to determine Destination Zone for Security Policies), then PBF is implemented, then NAT is implemented.

Therefore next step is to do NAT based on the Destination Address object for GMail:

Screen Shot 2014-07-22 at 11.12.43 AM.png

Screen Shot 2014-07-22 at 11.13.27 AM.png

Screen Shot 2014-07-22 at 11.14.10 AM.png

  • 3068 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!