Ping a Specific Port

Question

Lee Hill

Asked: 2017-05-25 13:36:51 +0800 CST2017-05-25 13:36:51 +0800 CST 2017-05-25 13:36:51 +0800 CST

Can i use a Site-to-Site VPN to allow me to send Mail from my Google VM?

772

First question so please be kind!

issue: in the google cloud platform they block traffic on port 25 outbound to external addresses.

1 webserver needing to send mail via my corporate mail server.
1 mail server sitting inside my DMZ, that is routed on the firewall.
1 site to site VPN (on the firewall) between my office subnet and the GCP local subnet.

what i know so far:

So... after a day of being convinced that there was an issue with my firewall, turns out that google block outbound ports 25, 465 and 587. (all variations of SMTP protocol ports)

Found that nugget here: https://cloud.google.com/compute/docs/tutorials/sending-mail/

it describes here how the traffic is allowed between local networks but blocked from the internet.

Now, I have a Site-to-Site VPN setup between the GCP and my ASA5520 which is working great, there are routes for my local networks in GCP, to route it through. now is this considered part of the "local Network" or is restricted to the local subnet of the Google Instance?

I guess somebody must of come across this problem before me, with a similar setup, but i cannot find much.

Before a make changes to my live firewall to try and allow traffic to the DMZ from the VPN, i would like to know if anybody has any experience in this?

Also open to other suggestions on how to solve my problem... although i would rather not have to pay for anything, or rely on apps and other services.

cheers!

1 Answers

Voted

theglossy1 · Answer 1 · 2017-05-26T06:33:17+08:00

Best Answer

theglossy1

2017-05-26T06:33:17+08:002017-05-26T06:33:17+08:00

In that link you sent, they have a section entitled, Sending mail through corporate mail servers. It describes using a VPN. So you would just relay to a mail server on the inside of your ASA and Google traffic filters wouldn't even see port numbers--they would just see ESP or UDP/500 (ESP over UDP).

Concerning two subnets on one tunnel, I can only speak to the ASA side of things. I typically create a one-line access-list that defines two object-groups, then just load up the object-group definitions with the subnets you need to traverse the tunnel. For example:

object-group L2L-GCP-Remote
 network-object host 169.254.169.254
object-group L2L-GCP-Local
 network-object 10.11.12.0 255.255.255.0
 network-object 10.12.13.0 255.255.255.0

access-list outside_5_cryptomap extended permit ip object-group L2L-GCP-Local object-group L2L-GCP-Remote

crypto map outside_map 5 match address outside_5_cryptomap

I'm showing my age with the L2L-xxx-Local/Remote parlance. That's the way the old 3000 VPN concentrator to used to define each side. :)

1

Can i use a Site-to-Site VPN to allow me to send Mail from my Google VM?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?