I got asked this question today by somebody. Whilst I've set up numerous Watchguard firewalls in the last few years, nearly all have been on a conventional public lan, a few have been behind a single static ip nat'd from the router and have worked.
I've spent hours/days/weeks trying to overcome incorrectly nat'd packets for VPN connectivity issues before to know that it is just best avoided. I've never tried setting up a Cisco fw other than having a public IP on the wan ports, so what would happen if I tried NAT?