Background.. I have a cisco 2811 router that i'm currently using as my router/ firewall/vpn concentrator. I have a ADSL line hooked into it with qwest and a block of static ips. it does natting in/out,out/in, and VPN users connect to one of the statics on it to get on the corporate network (and get a private 192.168.167.x ip). No problem, works fine.
Now.. I'm getting a new provider (2xT1s), a new firewall/router setup (fortinet), and new static ips. The new firewall/router will have the static block and will be doing the natting. I want to take the cisco 2811 now and just use it as a vpn device. I want to put it in a DMZ vlan off the new router (the new router has multiple ports to do multiple seperate security zones). Here's the crux. I want to have a public static ip on the new firewall that maps to a now-private address on the cisco 2811 router (i.e. this will be a DMZ VLAN with a 192.168.168.x subnet, and the cisco 2811 to have an ip of 192.168.168.3). VPN users will connect to the public static on the new firewall, will get natted to the private address on the cisco router, and they'll get their vpn connection.
I have never seen a cisco vpn configuration that has the cisco router having a private ip (being natted from somewhere else)..there's always a public ip on the cisco router, which the cisco router uses to both terminate the vpn connection and nat the private vpn traffic out to the internet (as i'm currently doing).
Is what i'm asking possible? Or am i going to have to assign one of the public static ips to my cisco router's fe0 and just hang it off the new router?