We are migrating an ASA to a Palo Alto firewall with an MX-400 behind it. I created a bi-directional NAT on the Palo which is identical from the ASA. This NAT is for the Meraki-VIP. There are also 2 physical IP's on the Meraki as well. The Meraki has the public NAT IP and port 1000 for the site-to-site VPN setup. I also have a outside-to-inside ACL on the Palo that allows traffic to hit the Merak-VIP on udp-10000.
We have tried this 2 two times with a vendor firewall engineer and once with Palo support on the phone for 4 hours and could never get it to register properly.
I have this setup in my environment. Send me a PM and I can try to set some time to help get you setup on the PAN side.
I assume that since you have this behind another firewall you are running it as a Hub, correct?
Is there an ACL limiting traffic from inside to outside?
You can check out the needed firewal rules from the Meraki dashboard under Help/Firewall Info (on the top right hand corner).
Definitely not my strong suit and I'm not sure I'm following you, but...
Check the applicability of the Local Identification and/or Peer Identification fields in the General tab of your IKE Gateway config.
I am doing something similar and 75% of my tunnels will register and the others will not no matter how many reboots I do and in what order. Were you able to get this working?