Hi Ahmed,
Thank you for posting your quuery here.
I was not able to sedonc part of your query, hence could you please elaborate on it a little more.
Coming to the first part of your query if you are not using PAT then NAT will work like one-to-one mapping and it can have two scenarios based on the IPSEC mode you are using-
Tunnel Mode - In this mode the complete packet including IP, TCP, Data Payload gets encrypted and a new IP header is used to encapsulate the eniter packet and these new IP addresses are the peer IP addresses of the VPN. In this case if PAT is not used then you will have a problem with running traffic from different hosts through the IPSEC as all of it will be from the same IP address, port (UDP 4500 encapsulated due to NAT-T) and hence NAT will not be able to differentiate between two hosts.
Transport Mode- In this mode only the TCP, Data Payload gets encrypted so the original IP header is still intact for the NAT. This means that traffic coming from two different hosts will have two different IP address (since IP address is not encrypted) and will have UDP 4500 ports due to NAT-T and hence for this scenario to work you will need multiple IP addresses to NAT the different IP addresses of host bcause PAT is not enabled.
AFAIK SRX supports tunnel mode of VPN only. Tunnel mode's best example is site to site VPN.
Hope this Helps. 🙂
Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.