Practical Differences - 1:1 NAT vs. DMZ

Solved
DannyR76
Here to help

Practical Differences - 1:1 NAT vs. DMZ

In a small environment with an MX84 what would be the risks of using 1:1 NAT over DMZ. We only have two outside facing servers/IPs. And I'm going to do everything I can to one of them to move it to a cloud application. 

 

Do I really "need" the complication of a DMZ? If the application on the server is secure and the 1:1 NAT rules are correct what is the real difference?

(I'm not talking about definitions, more just practicality in a small environment)

1 Accepted Solution
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

no worries. anything that you configure in 1:1 nat won't be filtered by the MX, except if you are doing something upstream with another device. If the server is open to the internet and you are allowing any public IP, just give it some time and you will see that people are trying to access your server from different parts of the world and you will see many of those requests. Yes, those requests will fail because your server is secure, but those requests will need to be processed by the MX, increasing CPU/memory usage. This will increase the device usage and could potentially bring it down. On the other hand, if you are lucky enough and your public IP stays private, then you should be fine.

View solution in original post

5 Replies 5
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

The only challenge is to limit the use of that 1:1 NAT. It would be great if you know all the public IPs that need access to the server, if not, that server would be open to the internet. even if the server is secured, the MX still needs to process those requests which will increase the MX usage.

DannyR76
Here to help

Yes, this particular would be open to the Internet and not a limited number of public IPs. 

 

Just curious, how are the rules & usage any different on a 1:1 NAT than the firewall. I mean the traffic has to be filtered either way. My comment is curiosity not being a jerk. I just want to learn more. 

Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)

no worries. anything that you configure in 1:1 nat won't be filtered by the MX, except if you are doing something upstream with another device. If the server is open to the internet and you are allowing any public IP, just give it some time and you will see that people are trying to access your server from different parts of the world and you will see many of those requests. Yes, those requests will fail because your server is secure, but those requests will need to be processed by the MX, increasing CPU/memory usage. This will increase the device usage and could potentially bring it down. On the other hand, if you are lucky enough and your public IP stays private, then you should be fine.

Russ_B
Getting noticed

The risk of using 1:1 NAT over a DMZ is the exposure to attacks if one of the Internet facing servers is compromised. 

 

If you put your Internet facing servers on your internal VLAN and one of them is compromised, the attacker could then attempt to compromise any of the devices on the internal VLAN.

 

If your Internet facing servers are isolated in a DMZ, then even if one is compromised the exposure would be limited to other devices in the DMZ.

 

Personally, in today's environment, I would probably create a DMZ for the Internet facing servers.  

KarstenI
Kind of a big deal
Kind of a big deal

If the application on the server is secure” is the first misconception. There is no secure application.

A DMZ is not that complicated, it’s best practice and you really should implement the server in a DMZ.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels