I have a situation where we have a number of remote sites which recieve their internet access via an MPLS connection. They get access to the internet via a NAT router provided by the ISP in the MPLS cloud. They access the main corporate site LAN directly through the MPLS cloud via BGP learned routes. In these sites is located a Video Conference (VC) unit which needs to be able to communicate with both the other offices (easy using internal addressing) and "random" Public VC units owned by customers/partners, who's addresses are not generally known until the VC is scheduled and may change. The only public IP addresses available are coming into the Central site. These need to be NATed to the internal private IP of the remote site's device.
The problem is the following senario:
"Random" VC 184.108.40.206 connects to the Central Site router on 220.127.116.11 public IP. This is NAT translated to 192.168.50.200 and routed over the MPLS network towards the remote site. The traffic arrives OK, and a reply is generated. At this point the reply is from 192.168.50.200 and destined TO the Public VC 18.104.22.168. The traffic leaves the remote site router, enters the MPLS cloud routers and the ISP's router sees a packet for a destination on the public internet NOT in the learned BGP routes for internal addresses, and forwards it to the MPLS NAT router. The packet leaves MPLS with an ISP-NATed IP address and arrives back at the originating device which ignores the traffic, because it's from a different IP than it started on. So no connectivity.
That senario exists because there's only a basic configuration on the Central Site router with an "ip nat inside static" command to go from 192.168.50.200 to 22.214.171.124 public IP for the VC device. Obviously something else is needed, but I'm not sure what. I originally explored Route Map on the Remote site router to forward all traffic from the 192.168.50.200 IP to the Central router, but that only works if the alternate router is a next hop. In this case there are at least 2 other routers (we don't control) in the way first. The only thing we 'control' on them is the routing table via BGP. But it is undesirable to route ALL the remote site's traffic via the Central site...we just want to do it for the SINGLE IP of the VC device.
We don't really want to setup numerous static GRE/VPN tunnels between all the remote sites and the central site because of the overhead, lack of scalablity, and desire to leave all the traffic "in the clear" in the MPLS cloud so that QoS tags are observed, so we are looking for an alternative either via NAT, BGP Routing, Route-Maps, or something else I'm not aware of.
To add a bit of complexity, there is also a hosted VoIP phone system who's traffic flows out into the MPLS "cloud" to the phone providor's network. This traffic uses internal addressing, so we should just need to avoid NATing it accidentally or something.
The diagram below shows a simple view of the WAN network and a single remote site.
(Full Size Diagram Attached)