No ALL CLIENTS should not be NAT'd. I just use one as an example. It is hard to explain but think of my network being contained by larger networks. The entire system is all IP based on a client basis. No NAT takes place on any firewalls except the public one going out to the net at the far end. I.E. :
Client1 -> Fire1(!NAT) -> Fire2(!NAT) -> Fire3(!Nat) -> Fire4 (NAT'd) -> WORLD WIDE WEB
Fire1, Fire2, Fire3 all have client based rules so the IP address of the client must pass through all 3 firewalls without being NAT'd. Problem is, my firewall wants to NAT them if I have different Public/Private IP's. If I have sampe IP's Public/Private then I can disable NAT. Therefor I need a router on the outside of my firewall to translate for 10.200.8.X to 10.200.59.X.
Any old router should do. Look for reviews. I imagine it's as simple as forwarding incoming packets for 10.200.8.x out of the 10.200.59.x port. If you plan the use of a multi port one make sure it has a switch inside rather than a hub.
Persoanlly I'd get something which can adapt to as many ideas that you maight throw at it in it's lifetime.
You can set it a firewall rule on said router (assuming the router has one).
For example, on a cisco router, you would attach the following rules to the 10.200.59.x port:
access-list 206 permit tcp all 10.200.8.x 0.0.0.255
access-list 207 permit udp all 10.200.8.x 0.0.0.255
This will allow both TCP and UDP packets trying to access anything with the IP 10.200.8.x, regardless of origin or logical port number. These rules are actually a bit dangerous, cos you're allowing anything to the 10.200.8.x network, but packet to any other networks would be dropped.
You could preceed these rules with:
access-list 201 deny tcp any any eq 23
which would block all telnet access
access-list 202 deny tcp any any eq 139
which would block all NETBIOS packets.
The trick is to put the filtering on the outgoing physical ports, as opposed to the incoming. You may want to put "block all x" on the incoming physical port, as all your outgoing physical ports would be protected there, but the actual sorting and filtering works best by placing the rules on the applicable physical port.
Just to specify...physical port = ethernet, logical port = FTP, Telnet, HTTP etc.