Meraki

Community

Practical Differences - 1:1 NAT vs. DMZ

Solved
DannyR76
Here to help
‎Mar 21 2022 11:21 AM
‎Mar 21 2022 11:21 AM

Practical Differences - 1:1 NAT vs. DMZ

In a small environment with an MX84 what would be the risks of using 1:1 NAT over DMZ. We only have two outside facing servers/IPs. And I'm going to do everything I can to one of them to move it to a cloud application. 

 

Do I really "need" the complication of a DMZ? If the application on the server is secure and the 1:1 NAT rules are correct what is the real difference?

(I'm not talking about definitions, more just practicality in a small environment)

0 Kudos
1 Accepted Solution
In response to DannyR76
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 21 2022 12:06 PM
‎Mar 21 2022 12:06 PM

no worries. anything that you configure in 1:1 nat won't be filtered by the MX, except if you are doing something upstream with another device. If the server is open to the internet and you are allowing any public IP, just give it some time and you will see that people are trying to access your server from different parts of the world and you will see many of those requests. Yes, those requests will fail because your server is secure, but those requests will need to be processed by the MX, increasing CPU/memory usage. This will increase the device usage and could potentially bring it down. On the other hand, if you are lucky enough and your public IP stays private, then you should be fine.

View solution in original post

5 Replies 5
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 21 2022 11:33 AM
‎Mar 21 2022 11:33 AM

The only challenge is to limit the use of that 1:1 NAT. It would be great if you know all the public IPs that need access to the server, if not, that server would be open to the internet. even if the server is secured, the MX still needs to process those requests which will increase the MX usage.

In response to Make_IT_Simple
DannyR76
Here to help
‎Mar 21 2022 11:56 AM
‎Mar 21 2022 11:56 AM

Yes, this particular would be open to the Internet and not a limited number of public IPs. 

 

Just curious, how are the rules & usage any different on a 1:1 NAT than the firewall. I mean the traffic has to be filtered either way. My comment is curiosity not being a jerk. I just want to learn more. 

0 Kudos
In response to DannyR76
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 21 2022 12:06 PM
‎Mar 21 2022 12:06 PM

no worries. anything that you configure in 1:1 nat won't be filtered by the MX, except if you are doing something upstream with another device. If the server is open to the internet and you are allowing any public IP, just give it some time and you will see that people are trying to access your server from different parts of the world and you will see many of those requests. Yes, those requests will fail because your server is secure, but those requests will need to be processed by the MX, increasing CPU/memory usage. This will increase the device usage and could potentially bring it down. On the other hand, if you are lucky enough and your public IP stays private, then you should be fine.

Russ_B
Getting noticed
‎Mar 21 2022 12:51 PM
‎Mar 21 2022 12:51 PM

The risk of using 1:1 NAT over a DMZ is the exposure to attacks if one of the Internet facing servers is compromised. 

 

If you put your Internet facing servers on your internal VLAN and one of them is compromised, the attacker could then attempt to compromise any of the devices on the internal VLAN.

 

If your Internet facing servers are isolated in a DMZ, then even if one is compromised the exposure would be limited to other devices in the DMZ.

 

Personally, in today's environment, I would probably create a DMZ for the Internet facing servers.  

KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 21 2022 2:23 PM
‎Mar 21 2022 2:23 PM

If the application on the server is secure” is the first misconception. There is no secure application.

A DMZ is not that complicated, it’s best practice and you really should implement the server in a DMZ.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.