I'm thinking about a scalable VCS-expressway design in a service provider architecture.
Some customer reach vcs-e through an MPLS network, other customer through internet (each customer with its own vcs-c).
I've a vcs-e with dual nic and nat feature enabled.
VCS-e is in a private network.
In this architecture, if I nat vcs-e address in a public ip address, I can't inject the public IP into the customer VPNs (customers use private addressing, and anyway they don't want to receive a public ip address from MPLS and from internet). And I can't inject a private ip address in Internet; in addition, each customer want to use a vcs-e ip address compliant with their ip plan... so maybe customer A wants to use a 172.31.x.y address, and customer B a 192.168.x.y ip address.
Best solution could be to nat vcs-e address in different ip address for each customer / internet via firewall, so for example vcs-e 10.1.1.1 in 172.31.24.1 for customer A, in 192.168.24.1 for customer B, and in 80.x.y.z for internet, based on firewall context... but I'm not sure I can do that (can I? I think I only can nat vcs-e ip address statically 1 to 1).
I attach a figure showing network design.
In your design it is allowed to do NAT between VCS-C and VCS-E if you set them up using traversal links/zone, which I guess is what you plan to do. A neighbour zone will fail in this design.
So your customer can have a VCS-C on their private network and that one connects to your VCS-E over a NAT-firewall as you describe as the "best solution". Ther are no need to NAT any IP address back to the customer, since the VCS-C will do a outbound connection only to the VCS-E.