WAN Connection directly into MS425 - security concerns?

calebbaker
Here to help

WAN Connection directly into MS425 - security concerns?

Hello,

 

I have a requirement to pass a Public IP (site has a /28) directly to a device behind an MX250 (without NAT). My understanding is this is not possible under the current 14.X firmware release.

 

As an alternative solution, I'm considering connecting the WAN connection into a VLAN on the MS425, and then connect the WAN connection on the MX250 to that VLAN. The configuration of the MX250 WAN would not change, and the management IP on the MS425 would remain a private IP NATed by the MX250.

 

As long as the WAN connection is in a dedicated VLAN, are there any security concerns on this? As long as the MS425 doesn't have a layer 3 interface in the VLAN, I'm thinking this wouldn't really be a concern?

 

Is there anything I can do in the MS to verify only the permitted IP for that device is used? This will be managed by a 3rd party, so I am concerned about the possibility that a misconfiguration of their device (with wrong IP info, for example) could knock our device offline.

 

Any feedback or input is appreciated. Thanks

 

3 REPLIES 3
Raj66
Meraki Employee
Meraki Employee

Hello,

 

One way you can pass the public IP to the LAN of the MX250 is via 1:1 NAT. The devices in the LAN will still have a private but it will be NATTED to a separate public IP on the MX. This will allow the traffic to be initiated from the outside either.

 

While plugging the connection directly to the switch will serve the purpose but it is not a great security design. You are always leaving a backdoor to your LAN which an attacker can leverage. 

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
PhilipDAth
Kind of a big deal
Kind of a big deal

I do that all the time.  Just create a layer 2 VLAN with no layer 3 config on the switch and then use that to plug everything in.

GIdenJoe
Kind of a big deal
Kind of a big deal

Yep, this needs to be done alot if your provider router only has one LAN interface and you need to connect an HA firewall pair. Just use an external VLAN on your switch. Make sure that VLAN is pruned off from any trunks inside the LAN and make sure your switch mgmt ip is on an internal VLAN.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels