Meraki

Community

Meraki MX85 - How to configure to limit inbound 1:1 and 1:Many NAT with GEO Location

ydinesh
New here
‎Jul 28 2025 2:26 AM
‎Jul 28 2025 2:26 AM

Meraki MX85 - How to configure to limit inbound 1:1 and 1:Many NAT with GEO Location

How to configure to limit inbound 1:1 and 1:Many NAT with GEO Location ?

As i understand, the layer 7 geo location blocking does not inspect inbound NAT traffic. With this how we can configure to perform above or is this a limitation in the MX ?

Labels:
0 Kudos
6 Replies 6
Brash
Kind of a big deal
Kind of a big deal
‎Jul 28 2025 2:52 AM
‎Jul 28 2025 2:52 AM

From my understanding it's not possible unless you use NAT Exemptions and L3 firewall rules with CIDR's you want to block.

 

https://community.meraki.com/t5/Security-SD-WAN/MX67W-blocking-country-IP-blocks-when-a-1-1-NAT-is-i...

alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 28 2025 3:48 AM
‎Jul 28 2025 3:48 AM

Meraki’s Layer 7 firewall and GEO-IP filtering are designed primarily for outbound traffic from LAN to WAN. When traffic comes from the internet into your network via NAT, it bypasses those content-aware inspection engines.

 

In short, you need another device in front of the MX to perform this function given this limitation of the MX.

 

https://www.f5.com/products/big-ip-services/advanced-waf

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 29 2025 6:10 AM
‎Jul 29 2025 6:10 AM

Then explain me this: 

Why do the L7 firewall rules say traffic TO/FROM .. countries..

I can't test this but if you block a country it should be both ways if you read the configuration correctly.

Having to need another device in front of the MX to do a function the MX itself should do is a bit redundant 😉

0 Kudos
In response to GIdenJoe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 29 2025 8:12 AM
‎Jul 29 2025 8:12 AM

I partially agree; the problem is that you think a UTM has to do everything, but that's a misconception, to say the least.

 

Having specific equipment for this function is the most appropriate.

 

The truth is that the MX leaves nothing to be desired in this regard.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 29 2025 12:46 PM
‎Jul 29 2025 12:46 PM

Country blocking for both traffic passing through the firewall or limiting a service running on the UTM box should both be done by the box itself.  These are essential basic functions of an UTM.  Having to put another box in front of an UTM just to block it is quite alien to me.

I do get the usecase for SASE, SSE where the truly advanced stuff is done by the cloud delivered security and have the MX be more of an advanced edge router.  However the MX should be able to stand on it's own for this one simple feature.

0 Kudos
In response to GIdenJoe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 29 2025 2:33 PM
‎Jul 29 2025 2:33 PM

Okay, that's your point of view, and I respect it, but I still believe that MX can't handle it well (I speak from experience, so it's not an unsubstantiated statement). I hope you don't misunderstand me. 😊 Best regards.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.