If you need an IPSEC concentrator to be separate from a firewall usually you need at least two public IPs to avoid NAT-T. Here’s a way to do it with just one public IP:
While possible that’s considered a taboo practice. It’ll kinda work for low volumes of traffic, but it’ll be a collision nightmare beyond that.
If you’ve already spent the money for a VPN concentrator and a firewall just put a router there and NAT the correct way.