I have setup a few of our older 5GTs for some execs in the same fashion. Here are a couple of things that can make your life a bit easier. This has worked for most brands of home router ( Linksys, DLINK, etc ).
Most home routers are open from the inside. They allow all outbound access. So ports shouldnt be an issue for the outbound connections.
NSM
When add the device in the NSM you want to add the device as unreachable. When you go through the wizard you can either generate a confliglet, or you can just generate the cli and paste it on the 5GT. The 5GT will then connect to the NSM, and this persistant connection will allow you to manage it without having direct access. One neat feature of the NSM is the ability to use the connection to send cli commands for troubleshooting. You can right click on the device in the NSM, and use the troubleshoot functionality to run some cli commands. Its not pretty, but is functional.
Residential Routers Gaming DMZ
You can use a combination of the residential routers gaming dmz function and Dynamic DNS on the residential router to allow remote access to the 5GT for management via SSH. Create a reservation on the residential router for your 5GT, and then publish it via the gaming DMZ function that most residential routers have.
VPN
With the 5GT using DHCP on the untrust interface, when you go into the VPN manager it should create a dynamic VPN. Make sure you check the nat transversal button in the VPN manager in the NSM. Both Dynamic VPN and NAT transversal must be configured for this to work behind the NAT device.
That has worked for me. Anytime you are behind a NAT device it complicates the config a bit. Hope this helps you.
Message Edited by shadow on 01-06-2009 11:23 AM
Message Edited by shadow on 01-06-2009 11:25 AM