in your case, the MX has a private IP on it's WAN interface, it is connected by a dedicated LAN to an ISP router that carries the public IP. there is no inside NAT/dNAT rules on the ISP router, only sNAT that permit the hub to reach the Meraki cloud. You have two possible options with ISP router. Option 1: you will configure port forwarding for the VPN ports in the ISP router, so the Meraki can respond back. I deployed this solution in my home lab and it is operational. This solution works fine for remote access VPN and Site-2-Site VPNs. Option 2: You ask the ISP for a static IP subnet, and configure static one-for-one NAT in the ISP router for the Meraki outside private IP. the Meraki will act as it hosts the public IP of the NAT config in the ISP router. I hope this helps.
... View more
