If I create a layer 3 to/from deny rule (not sure of the limit of IP entries) will that supersede the 1:1 NAT rule and deny any to/from traffic for those specific IPs?

I won't confirm it, so I left it as a suggestion for testing.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

I had some time, so I put in a support ticket.

Will post my findings.

I believe this is different from what I need. I don't need the internal IP preserved, I just need some mechanic/rule to be able to block countries from external services on particular ports (NATted services).

I'm surprised this hasn't come up previously. Meraki users should be able to block IP list or whole country access to NATted services like Exchange Webmail or Microsoft RDWeb services(?)

If you read the article again you can see that when you enable this feature you get the option of using inbound firewall rules which change the default behaviour of the implicit allow rule created when you add a inbound nat rule.

With this feature enabled you can still NAT. I just suggested trying to enable this for the inbound firewall function.

And yes i agree. I would also like for L7 geoblock rules to apply to inbound nat by default.

Maybe I'm reading it wrong, but it appears that, in order to override the NAT exception, I need to disable NAT on a particular uplink or VLAN, but I still want the NAT to be in place. Exposing an internal IP to the internet (in my simple set up) isn't possible.

In any case, we'll see what support comes back with and I'll post my findings here.

You are reading it wrong. When you opt in for this feature you just enable the option to do no-nat on uplinks. Unless you enable the no-nat check boxes you still NAT.

The only immediate thing that changes when you opt in for this feature is the inbound firewall rules.

Try it on a test network

Just a little note I opened up multiple tickets, have multiple sales calls, and countless make a wish requests for this feature. This lack of function is what forced my day job to move away from the MX line at our HQ. 

Meraki has confirmed that this is the current solution.

However, this is just a band aid for layer 7 country blocking. Imagine having to enter every CIDR notation for all the blocks of IPs for the 20 or so countries that the US government considers unfriendly. This is unacceptable, IMHO.

Good to know. Did they confirm that L7 rules does not work when you do it this way? If enabling inbound FW makes this traffic follow the regular rule processing flow it should in theory work.

For example if you allow any inbound towards the NAT IP and you add L7 geoblock rules for the countries you want to allow.

If you want to test it you can DM me and i will attempt to connect from where i live.

I have asked them for clarification as they weren't clear.

Having to enter in hundreds of CIDR blocks in a layer 3 rule would probably slow down peak performance (and take hours to do). It's not a good option.

Yeah i get that. But you should not need to add anything other then allow any inbound toward the NAT IP in L3 firewall rules. Once it matches and is allowed it should continue to the L7 rule processing where you do geoblock assuming you have the advanced security license.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal... 

Correct. The question is whether enabling this NAT exception changes the way layer 7 is processed. Without NAT exeption, 1:1 and 1:M NATs actually create a hidden implicit rule that supercedes Layer 3 and 7. That functionality would need to change.

I'll post what Meraki replies with. Thanks again.