He's mostly right, even if his explanation isn't as clear as it could be.
Currently, the Draytek handles the inbound NAT and will have the
public IP on the external interface, but he intends that the
Checkpoint should handle the inbound NAT.
This makes sense. The firewall is a better place to do the NAT functions, as it has more features and is is more flexible than a consumer grade router. I assume he intends to turn off NAT on the router (if he can). If not, double NAT is an unnecessary complication, but it will work anyway.
Note that just because the "bridging LAN" has a private address, that does not mean the router has to do NAT.
He claims that the Draytek can be configured to selectively forward,
depending on destination port, incoming packets (pink packet on
diagram) without modification of the source/dest IP or hardware
address to the Checkpoint, which
will then perform inbound NAT to the internal device.
This doesn't make any sense to me. As I understand it, the Checkpoint
will then receive packets with the Draytek's external interface MAC
address and IP, which it will NAT to the internal device.
I think you're confused about where the /24 public network "lives." It doesn't "live" on the router.
The router will be configured to forward traffic destined for the public network to the firewall (i.e., the firewall is the next hop.). So the router is just being a router. It will change the DMAC address to that of the firewall. The firewall will receive the packet, change the DestIP to an internal IP and forward it on. On the outbound path, the firewall will translate the source address to the external network and forward it to the router, which in turn will forward it to the ISP.
You must remember that a flow using NAT will look like two different flows: a flow pre-NAT, and a flow post-NAT. This is because NAT is changing one or more of the addresses in the packets. This can present a distorted view of your flows.
As Cisco explains it, NAT stitching will stitch the (apparently) separate flows to give you the single flow view:
Exporting NetFlow from the NAT devices will stitch both pre & post NAT
flows together.
The Cisco Press book NetFlow for Cybersecurity goes into more detail:
Lancope’s StealthWatch solution supports a feature called network
address translation (NAT) stitching. NAT stitching uses data from
network devices to combine NAT information from inside a firewall (or
a NAT device) with information from outside the firewall (or a NAT
device) to identify which IP addresses and users are part of a
specific flow. A great feature of the StealthWatch solution is its
ability to perform “NetFlow deduplication.” This feature allows you to
deploy several NetFlow collectors within your organization without
worrying about double or triple counting the traffic.
Best Answer
As a rule of thumb, I size my firewalls for 250 tcp sessions per user. That's on the high side right now, but as people start to use more and more cloud services (dropbox, Office365, etc, etc) the number of sessions per user is only going up in the near future, so I prefer to be on the safe side. This means a single public IP is enough to NAT for only 250 users.
If you have more users, you would need to use more public IP addresses for NAT. This is called a NAT Pool. Your firewall will use IPs from the pool to assign IP/port combinations as needed.
In Cisco IOS, you configure a NAT pool thus:
If you want to know everything about NAT, check out the Cisco documentation. It's an excellent read.