Sophos XG 125 - Instructions for Setting up SNAT over an IPSec site to site to a credit card processor.

Question

We have a Sophos XG 125 with a flat internal network. 
 We are trying to setup a connection to a credit card processor with the following instructions: 
 "We want to narrow down the phase 2 encryption to a /32 host. If we can essentially take whatever was source-NAT&rsquo;ed prior to go out to 'creditcardprocessor.net' externally via an external IP, and SNAT that to 1 x RFC1918 internal address, that would be preferred. We could also agree on a source NAT scheme that does not include your 192.168.1.0/24, and rather, a 172.16.14.site-property/32 design." 
 I have setup regular site to site VPN tunnels between sophos and other products and I think I understand the basics of this, but this is a bit much for me. Can anymore help me translate this or point me to some reading that can help? 
 
 - Steve

LuCar Toni · Answer

Basically they want to perform a SNAT in the Tunnel. 
 https://community.sophos.com/kb/en-us/123356 
 You can do following: 
 Take a /24 Network and NAT it to a /24 Network (Called 1:1 NAT). 
 Take a /24 Network and NAT it to a /32 Address (Basically SNAT One Way). 
 Take a /32 Address and NAT it to a /32 Address (Basically FullNAT). 
 
 The left part is your Network. 
 The right part (after NAT) is the IP you use in the tunnel to your opponent. 
 
 The point is: you have to use this in the SA (IPsec Config). This will lead to "a agreement with the other site". 
 
 Lets paint a picture. 
 You have 192.168.1.0/24 on your LAN. 
 You want to use 10.0.0.1/32 in the Tunnel (a address). 
 
 So you setup the IPsec tunnel: Local Network is: 10.0.0.1/32 and you "tick" NAT to and select 192.168.1.0/24. 
 So the other site have to setup and use also the 10.0.0.1/32 to build up the tunnel.