Version 4.1 - 5.2 Cisco IOS firewalls and NAT
Interestingly enough, this mentions NAT in the main topic, but does not list it as a subtopic. Fortunately, I have experience with NAT on a router.
Here's a Cisco doc on IOS Firewall Configuration. If you don't have experience with this, I highly recommend the INE Advanced Technologies course. It covers configuring everything on the IOS firewall.
You may want to also take a look at the Configuring NAT on IOS page. It goes over many of the same NAT concepts as above in 5.1.d at the beginning. Normally, NAT on a router usually operates on just two interfaces (versus the firewall with multiple DMZ interfaces). You may want to look closely at the part "Address Translation of Overlapping Networks" and NAT overload.
Further down the page you will find the steps to configure NAT. Note that step 3 will be repeated until all your entries are complete. I have a bit of a disagreement with these steps. They say to configure the inside interface and then the outside interface. Here's what I found to work better:
If this is a router connected to the network, either use the console or out-of-band management to configure NAT. If you use your connection to the inside interface - if anything goes wrong, you could find yourself unable to connect to that inside interface. Also - if things go very badly, you may want someone available on-site to power cycle the router. Depending on what you're doing and your configuration, it could go very wrong. Some of the things that could go wrong that might not be obvious. Think about your aaa configuration and reachability with the tacacs server. If you're configured for aaa command authorization and you suddenly lose connectivity to the tacacs server in the middle of the configuration... Or say you connected using local authentication (after the tacacs server times out) - and then your configuration allows the device to connect to the tacacs server... Just realize that you may have to reconnect once you implement nat - depending on your current configuration. And make sure you enter both addresses (the one you use before nat is applied and the one you will use once nat is applied) in your tacacs configuration. This way you maintain connectivity with the tacacs server - even though it may work slowly (waiting for the first server to time out before trying the next configured server or local authentication).
Once you have taken into account your aaa configuration, start this with entering the nat commands. You can enter these commands all day long and it won't do anything until you enable inside and outside nat on the interfaces. Once all your entries are complete, configure the outside interface - then the inside interface.
And with that, I'm going to move on to the subtopics.