When you assign external IP addresses to your clients, you are exposing them to the wild world of the internet. This means that unless the clients have strong firewalls and are completely patched (even then there are 0-day exploits), it is likely the systems will be compromised very quickly. It is always best practice to have private addresses behind your firewall/gateway and let it do the NAT for you. Most of them will do it dynamically and no additional configuration is likely needed. If you need to expose a system using an IP address, be sure to expose ONLY the necessary service(s) and disable/block everything else on that host.