0

First question so please be kind!

issue: in the google cloud platform they block traffic on port 25 outbound to external addresses.

  • 1 webserver needing to send mail via my corporate mail server.
  • 1 mail server sitting inside my DMZ, that is routed on the firewall.
  • 1 site to site VPN (on the firewall) between my office subnet and the GCP local subnet.

what i know so far:

So... after a day of being convinced that there was an issue with my firewall, turns out that google block outbound ports 25, 465 and 587. (all variations of SMTP protocol ports)

Found that nugget here: https://cloud.google.com/compute/docs/tutorials/sending-mail/

it describes here how the traffic is allowed between local networks but blocked from the internet.

Now, I have a Site-to-Site VPN setup between the GCP and my ASA5520 which is working great, there are routes for my local networks in GCP, to route it through. now is this considered part of the "local Network" or is restricted to the local subnet of the Google Instance?

I guess somebody must of come across this problem before me, with a similar setup, but i cannot find much.

Before a make changes to my live firewall to try and allow traffic to the DMZ from the VPN, i would like to know if anybody has any experience in this?

Also open to other suggestions on how to solve my problem... although i would rather not have to pay for anything, or rely on apps and other services.

cheers!

Lee Hill
  • 30
  • 1
  • 7
  • In that link you sent, they have a section entitled, [Sending mail through corporate mail servers](https://cloud.google.com/compute/docs/tutorials/sending-mail/#sending_mail_through_corporate_mail_servers) It describes using a VPN. So you would just relay to a mail server on the inside of your ASA and Google traffic filters wouldn't even see port numbers--they would just see ESP or UDP/500 (ESP over UDP). – theglossy1 May 24 '17 at 21:52
  • i thought that may be the case but i think i got confused with the "VPN client" bit, as opposed to the VPN config in the console, will put the filters in an report back. – Lee Hill May 24 '17 at 22:28
  • tried the setup to a GCP Dev project that i have, which has worked, but now i have lost access between my local office subnet and the GCP internal network. i will raise another question with regards to 2 local subnets using the same Site-to-Site Tunnel. thanks for your help. – Lee Hill May 25 '17 at 09:27
  • @theglossy1 if you would like to put your comment as an answer i will mark it as solved. – Lee Hill May 25 '17 at 09:30

1 Answers1

1

In that link you sent, they have a section entitled, Sending mail through corporate mail servers. It describes using a VPN. So you would just relay to a mail server on the inside of your ASA and Google traffic filters wouldn't even see port numbers--they would just see ESP or UDP/500 (ESP over UDP).

Concerning two subnets on one tunnel, I can only speak to the ASA side of things. I typically create a one-line access-list that defines two object-groups, then just load up the object-group definitions with the subnets you need to traverse the tunnel. For example:

object-group L2L-GCP-Remote
 network-object host 169.254.169.254
object-group L2L-GCP-Local
 network-object 10.11.12.0 255.255.255.0
 network-object 10.12.13.0 255.255.255.0

access-list outside_5_cryptomap extended permit ip object-group L2L-GCP-Local object-group L2L-GCP-Remote

crypto map outside_map 5 match address outside_5_cryptomap

I'm showing my age with the L2L-xxx-Local/Remote parlance. That's the way the old 3000 VPN concentrator to used to define each side. :)

theglossy1
  • 301
  • 2
  • 7