I think you misunderstood the explanation how FQDN objects works. So it is true that an FQDN policy object just references an FQDN. But the MX itself will not resolve DNS entries on it's own to map to IP addresses. It has to see a DNS request from a client behind the MX going out to the internet and being responded to by the DNS server to snoop the entry and put it in a DNS to IP table to dynamically apply to outgoing traffic. You can find proof of this operation here: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support There is no ready made solution for your use case as it stands today when using port forwarding. However there may be an API solution for this but you would have to determine if this is feasible. You could have a script on a host inside your DC that does all the DNS querying for you and keeps track of changes in host to IP mappings. Then when an IP changes you could use the dashboard API to write those changes to the port forwarding configuration. If you want to go the Anyconnect route, this could be an easier solution by implementing radius authentication so your customers can call in and get access to their machines only.
... View more
