You definitely do need an actual public IP. That can be accomplished by direct connection to the MX from your ISP or via 1 to 1 NAT and appropriate rules in an upstream firewall. vMXs and Concentrators are the most likely scenarios for the latter situation. There are also corner cases with some ISPs like Starlink operating things with CGNAT. Without your IP addresses we can't be certain if you are hitting any of these situations specifically. The one other situation that may occur is your ISP blocking 443 upstream to you despite giving you a public IP. I've definitely seen things like that. You may need to check with them. The ones I've dealt with will usually disable that blocking on business accounts upon request. I suggest a quick call to Meraki Support who can verify your connectivity vis-a-vis the IPs and verify if your Anyconnect traffic is making it to the MX.
... View more