- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-17-2014 02:01 PM
I'm trying to figure out the best and easiest way to route all gmail application (gmail-base and gmail-enterprise primarily) that enters on an internal port from one network and send it out using a separate pubic IP we have. Currently all internet based outbound traffic goes out a using a single IP and we are having an issue with that IP getting MX blacklisted by Barracuda. I am suspecting that this internal network port is where the "promotional material" is being sent out and since we have several networks all using the same public IP for outbound general internet, they are all affected by this. So I have the gmail web IP blocks identified that I would like to use either NAT and/or PBF to take all traffic received on that internal network interface and send it out using a separate public IP we have so when they abuse the limits that Barracuda sets for identifying spam sources, it only affects their internal network. Since the gmail application can't be used in a PBF, I'm struggling to find another way other than sending all their outbound internet traffic out a separate IP which would require more setup. Unfortunately, they are in the same Zone as all our internal networks connected to the PA also. Is there anything I can do easily or will I have to look at separating out the Zones also?
Thanks
07-18-2014 02:28 PM
You can use PBF using a Dynamic Address Object.
Check Google IP address ranges
You can then set up a cron task to push Google IP addresses to the Dynamic Address object.
Refer to How to Add an IP Address to a Dynamic Address Group using API
You could alternatively leverage information to create an EBL from radb.net and shadowserver.org as follows:
mivaldi$ ping www.google.com
PING www.google.com (74.125.239.49😞 56 data bytes
64 bytes from 74.125.239.49: icmp_seq=0 ttl=54 time=2.506 ms
^C
--- www.google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.506/2.506/2.506/0.000 ms
mivaldi$ whois -h asn.shadowserver.org "origin 74.125.239.49"
15169 | 74.125.239.0/24 | GOOGLE | US | google.com | Google Inc.
mivaldi$ whois -h whois.radb.net -- '-i origin AS15169' | grep ^route
route: 66.249.64.0/20
route: 66.249.80.0/20
route: 194.110.194.0/24
route: 74.125.57.240/29
route: 193.142.125.0/24
route: 193.186.4.0/24
route: 193.200.222.0/24
route: 216.239.44.0/24
route: 216.239.45.0/24
.
.
.
All known google AS15169 IP's
07-18-2014 02:44 PM
Thanks that is good knowledge to have, but my bigger issue is trying to send just traffic received on an internal port ethernet1/105 and NAT it out a separate public IP in our block. I want to leave the other Internal networks connected to different physical ports to continue to use the primary outbound internet NAT rule for all traffic. We're getting the primary public IP which is what all outbound internet connections use blacklisted and I suspect it is the hosts I have on this internal interface ethernet1/105 that is causing it. Does that make sense? I already have the gmail ranges identified statically assigned to an address group, but will look at doing it dynamically too. Thanks
07-18-2014 02:59 PM
What about a PBF like this (Interfaces and Next Hop will be different for you).
Following the sequence of events, NAT is evaluated (before PBF, to determine Destination Zone for Security Policies), then PBF is implemented, then NAT is implemented.
Therefore next step is to do NAT based on the Destination Address object for GMail:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!