Assuming your router and your firewall have both more than two interfaces, and you have enough IP addresses I will configure the Internet access like this:
On the router I will setup some inbound and outbound access list to block the traffic (inbound only ICMP Echo, no IP packet with private address as source, …).
On the firewall I will setup NAT and block all unecessary traffic until the layer 7 (have a proxy fnction)
Like this it will be easier to put an IDS between the router and firewall and the traffic analysis will be easier. This allows you also to put a host “in Internet” behind the router, but in front of the firewall. In a later time you could also add a second firewall (or VPN Concentrator) to terminate your VPN).
I hope these lines will help you.