Send NAT traffic over Site-to-Site VPN

Question

I am attempting to send NATed traffic over to a site-to-site VPN to another server. I am using an IPsec tunnel and traffic between the two tunnels works great. Here is some of the relevant details. 
 Site 1: 
 External IP: 1.1.1.1 External Port: 8080 Internal Network: 10.1.1.1/24 
 Site 2: 
 Internal Network: 10.2.2.1/24 Internal Server: 10.2.2.2 Internal Port: 80 
 So this is the flow: (internet device) -> 1.1.1.1:8080 -> (???) -> 10.2.2.2:80 
 I have created a destination NAT with my destination as the 10.2.2.2 IP, but the traffic never makes it there. There are no firewall events firing on these packets. My question is, what am I missing in the (???) part of the flow? I feel like there is a route that needs to be added that would tell any external traffic coming into the site 1 network to hop over the site-to-site network on down the line. Do I need to create a static route to allow this?

BAlfson · Accepted Answer

This was answered correctly in the old astaro.org forum, Jason, but that's presently unavailable. Since you seem knowledgeable already, I'll give you a way to figure this out instead of telling you the answer. Make a diagram of the devices. Label each port with its IP. Show the source & Destination IPs each device will have on packets arriving and leaving. What kind of NAT rule does that imply?

Cheers - Bob

JasonGreb · Answer

Yeah, I was trying to search the old forum, but it's pretty unusable. I see the full NAT both ways, but I didn't think that would apply to a VPN. However, I just tried it out and that seems to have worked! I used my internal "address" as the source. Would you recommend something else? 
 
Would this also apply to connecting through one VPN to another? There is a third site with the site 1 mentioned above in the middle. But 2 can't get through 1 to 3. The only issue I see with the Full NAT would be that now I am NATing and my traffic is no longer the original source address.