NAT over 2 VPN Connections

Can you show us your NAT rules and did you setup the IPsec Route on CLI as well? 

Here are the NAT and Reflexive NAT rules.

Yes, I setup the IPsec Route in the CLI

Hi KMD_Comp , is your s2s ipsec policy based IPsec or route based ?

Currently it's policy based.  I tried switching it over the route based, but while the connection was established, I couldn't pass traffic in either direction and I didn't have time to mess with it.  

The connection between the XG and ASA is route based.  

With  policy based VPN, on SFOS, LAN traffic of Meraki coming into SFOS over VPN will go through ipsec0 interface (this is a pseudo interface used for routing the trafic into another port). On ipsec0 interface, I don't think there is any way to apply NAT rules (on UI) or  ipsec_route command (using CLI) to instruct changing the source IP or destination IP to ip of LAN behind ASA.

With Route based VPN, assuming you use route based VPN on Meraki and on ASA, it is straight forward and no NAT'ing required:

* Establish route based VPN between Meraki and SFOS, and from SFOS to ASA with traffic selectors as Any/Any (Any/Any is with reference to SFOS, you can use equivalent of it on Meraki and ASA).

* On SFOS, add an ip to xfrm interface towards Meraki and towards ASA; similarly, equivalent configs to be done on Meraki and ASA.

* Add static route on Meraki to reach LAN of ASA via the interface on Meraki that is equivalent of xfrm on SFOS. I am not sure what is the equivalent of xfrm on Meraki.

* Add static routes on SFOS separately to reach LAN of Meraki and LAN of ASA via corresponding xfrm interfaces.

* Add static route on ASA to reach LAN of Meraki via tunnel interface (or the equivalent of xfrm interface on ASA).

* Now, LAN of Meraki should be able to reach LAN of ASA or vice-versa.

If you are not able to pass traffic via route based VPN, please refer some of the documents available over Internet related to this.

One of the issues we are facing with implementing it like you suggest, is that a 3^rd party controls the ASA, and getting them to make changes to the config is a difficult process. 

We were hoping to use NAT (PAT, actually, but if assigning static or dynamic NAT was required, that would be OK.  There aren’t that many machines that need to reach this server), so that the ASA would see traffic coming from the Meraki LAN to the remote server, would look to the ASA like it was coming from a single IP or multiple IPs on our primary LAN.  

If this is not achievable, I’ll resign myself to working with the 3^rd party to resolve this.  

One of the issues we are facing with implementing it like you suggest, is that a 3^rd party controls the ASA, and getting them to make changes to the config is a difficult process. 

We were hoping to use NAT (PAT, actually, but if assigning static or dynamic NAT was required, that would be OK.  There aren’t that many machines that need to reach this server), so that the ASA would see traffic coming from the Meraki LAN to the remote server, would look to the ASA like it was coming from a single IP or multiple IPs on our primary LAN.  

If this is not achievable, I’ll resign myself to working with the 3^rd party to resolve this.