Meraki

Community

Cisco/Meraki MX - a better way is needed to block IPs when 1:1 NAT is being used

alceryes1
Getting noticed
‎Oct 14 2025 6:45 AM
‎Oct 14 2025 6:45 AM

Cisco/Meraki MX - a better way is needed to block IPs when 1:1 NAT is being used

A while ago, I learned that Meraki MXs create an internal, implicit rule for 1:1 or 1:M NATs that completely bypass Layer 3 and Layer 7 rules.

See here - https://community.meraki.com/t5/Security-SD-WAN/MX67W-blocking-country-IP-blocks-when-a-1-1-NAT-is-i...

 

The work around (enabling the NAT exemption early access feature) allows Layer 3 rules to be processed for NATs, but still does not allow Layer 7 rules to be processed. That would mean that tens of thousands of individual CIDR entries would need to be added in a Layer 3 rule to perform the same blocking that Layer 7 country blocking can do.

 

Truthfully, I am afraid to even try to add all those CIDR entries to a Layer 3 rule. I fear that the SA would choke if it ever got mildly busy.

 

That early access feature is NOT a replacement for layer 7 blocking, when using NAT, and never will be. We (the customers, who pay a lot for Cisco/Meraki gear and continuing usage licenses) need a REAL solution. We need Layer 7 rule processing for all traffic, NATs included.

0 Kudos
8 Replies 8
Mloraditch
Kind of a big deal
Kind of a big deal
‎Oct 14 2025 6:54 AM
‎Oct 14 2025 6:54 AM

I understand your frustration. Make sure you have submitted feedback: https://documentation.meraki.com/General_Administration/Other_Topics/Give_your_feedback_(previously_...

and you can also reach out to your Cisco AM.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
jimmyt234
Head in the Cloud
‎Oct 14 2025 6:54 AM
‎Oct 14 2025 6:54 AM

I've enlisted our AI overlords to give us a handy limerick on the subject:

 

If it's inbound Geo-IP blocking you seek,
A different firewall vendor you need—so to speak.
For Meraki’s design
Draws a simpler line,
And that feature’s a bit too boutique!

In response to jimmyt234
alceryes1
Getting noticed
‎Oct 14 2025 7:09 AM
‎Oct 14 2025 7:09 AM

Cute, but not helpful. 🙄

0 Kudos
In response to alceryes1
RWelch
Kind of a big deal
Kind of a big deal
‎Oct 14 2025 7:12 AM
‎Oct 14 2025 7:12 AM

As suggested by @Mloraditch the best way to provide feedback directly to the inbox of the engineers and teams is Give your feedback (previously Make a Wish).

 

Nothing wrong with posting here and discussing the details - but submitting the feedback would be the best path (if you haven't done so already).

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
alceryes1
Getting noticed
‎Oct 14 2025 7:43 AM
‎Oct 14 2025 7:43 AM

Yup. Already done.

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 14 2025 7:59 AM
‎Oct 14 2025 7:59 AM

The all or nothing aproach we have today on the MX must be dealt with.  You need to be able to set L7 rules and content filter WITHIN rules.

TyShawn
Head in the Cloud
‎Oct 16 2025 12:44 PM
‎Oct 16 2025 12:44 PM

Oooffff I've fought this fight for years. I've escalated to a few of the upper management and even talked about this on calls and C-Live. Nothing was done about this. It got so bad we had to move off Meraki at our HQ. This was a true deal breaker for my org. 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
alceryes1
Getting noticed
4 weeks ago
4 weeks ago

I just want to keep this updated to give it more visibility and make sure Meraki MX admins are aware that 1:1 and 1:M NATs completely bypass layer 3 and layer 7 rules, by default.
There is an early access feature to enable layer 3 processing with NATs (see above) but no such process exists to enable layer 7 processing with NATs.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.