In this scenario, I believe the following is the case.
A modem cannot obtain an IP-address; it is always a bridge between a device and a network. This means the router obtains an address from the ISP through the modem.
Generally, the obtained IP-address is a public IP-address (I know of no other setup thatn that), thus the ISP doesn't habe to do NAT or PAT. Mostly, the ISP doesn't even have a firewall in between the client-router/modem and the internet.
I say a modem canot obtain an IP-address, because a modem is for signal-conversion only; it does not make decisions.
For example, a telephone-modem is used for initiating the connection. Your computer gets an IP-address through your modem.
In a router, a connection-device (Ethernet, DSL-WIC) does have an IP-address.
That's because the router has to know what addresses are connected, i.e. what exits it has. However, the router has the IP-addresses, not the actual interface.
n the case of the branch office, what is the IP of the router and modem? And what IP-address do internet-sites see?
I think they are all one and the same...
By the way, NAT-T is indeed for fixing problems with NAT-devices. However, even in the documentation of the Concentrators, they state that it will only work if either one or both sides are each behind a (single) NAT-device. That has to do with the port-translations and encapsulation of the IP-addresses. If a single device is behind multiple NAT-devices, the source IP-address wil be altered too many times, and will therefore be the wrong one when it reaches the endpoint.