I just notice that there are multiple Public IP subnets. One is the WAN subnet (208.*.*.* /28) and another is the NAT/PAT-ed subnet (64.*.*.*). With this in mind, your customer can also do the following.
* Setup the network to be like the following
Internet -- 806 --- Firewall/Router/Layer-3 switch with DMZ --- Inside (192.168.1.0/24)
|
|
DMZ
* Move the 64.*.*.* to be at DMZ
* Move the server to be at DMZ as well
* Keep the 208.*.*.*/28 at the 806 just like now
* The server should directly have 64.*.*.* assigned without using private IP subnet
* No NAT between this DMZ and the Internet
* No NAT between this DMZ and the Inside network
* There is NAT between the Inside network and the Internet, using the 208.*.*.* IP address just like now
* There should be static route on the 806 router to reach the 64.*.*.* via the Firewall/Router/Layer-3
Check out the following FAQ for sample configurations.
»
Cisco Forum FAQ »
Router configuration to run server (with and without port forwarding)»
Cisco Forum FAQ »
Configure DMZ on routers»
Cisco Forum FAQ »
PIX Firewall/ASA configuration to run server (with and without port forwarding)