The port forwarding only applies to manual NAT traversal. If you use auto NAT traversal, it takes care of that. Because all of the connections are coordinated through the dashboard, the Auto-VPN will typically work even if all nodes are behind NAT. I’ve used them on the end of Verizon (CG-NAT) connections and they work fine. I have had one instance where three of them were behind the same single IP NAT and the third would fail to connect. We had to get one of them moved to a different NAT IP to solve that.
If you’re looking for a simple to use, easy to manage VPN appliance, the MX (and Z) Meraki products will work. The config is entirely handled through the dashboard, so no-touch, drop ship deployments are an option. You can provide view only access to users per network, so the customer or a first level tech could be given the ability to look but not break anything.
All of the MX and Z products will work in a single VPN, so you can pick the device that best fits the requirements. For a small office with one or two people, the Z3 works great, it even has one PoE port for an IP phone. For larger sites or the core site, they go up to 6Gb (I think) of throughput for the MX450, with redundant power and uplinks.
As others have pointed out, they are license based and they don’t work without a license, and they are a Cisco product, so pricing will depend on how good your relationship is with your Cisco rep. One big caveat: they are still lacking in the IPv6 realm so if that is a requirement, they won’t work right now.