We are migrating an ASA to a Palo Alto firewall with an MX-400 behind it. I created a bi-directional NAT on the Palo which is identical from the ASA. This NAT is for the Meraki-VIP. There are also 2 physical IP's on the Meraki as well. The Meraki has the public NAT IP and port 1000 for the site-to-site VPN setup. I also have a outside-to-inside ACL on the Palo that allows traffic to hit the Merak-VIP on udp-10000.
We have tried this 2 two times with a vendor firewall engineer and once with Palo support on the phone for 4 hours and could never get it to register properly.