Going sideways, the MX is not so strong with regard to non-Meraki site-to-site VPNs. Have you thought about keeping the ASA for just these VPNs (no public IP change then), or moving them to something like StrongSwan running as a VM on an existing compute (I use StrongSwan a lot, it is free and very powerful). There is also the virtual ASA option (such as the Cisco vASA 10). The virtual option is going to be around for a long time yet. If you want to go newer, there are also the virtual Firepower units, and the baby Firepower units (which can also run ASA - just copy and paste config) like the Firepower 1010. https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/adapt-security-virtual-appliance-ds.html https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html https://www.cisco.com/site/us/en/products/security/firewalls/firepower-1000-series/index.html
... View more