ACS will always pick global address in case of PAT and there will be no workaround if ACS server is on outside.
Consider another instance of ACS in the customers network
Or
consider sending authentication traffic through Ipsec tunnel to ACS, if security is a concern to the client.
: Rohit