Cisco ASA behind pfSense firewall on VIP

  • Controls contractor insists they have their own VPN endpoint, a Cisco ASA.  Management has told us to make it work.  We have a smallish internet connection, so would prefer the pfSense already in place control the WAN link.  Is there a way to NAT one public address while passing through another to the ASA.  We have spare ports.  We know that a switch in front of both appliances is the easiest solution, but we loose control of the WAN bandwidth.  A second pfSense appliance in WAN-LAN bridge would also give us the control.  Looking for a possible single pfSense appliance solution.