You can’t configure NAT that way, your issue is to do with your topology.
That’s the point of NAT. Post-NAT, the outside world (in your example, the firewall from NAT’s perspective running on the 2811) doesn’t see what the originating IP is (*with some exceptions where it is embedded into the protocol, e.g., X-originating-IP email header, FTP control channel, etc.).
I’d swap the router and the firewall around so that it goes:
ISP -> Cisco router -> firewall and do NAT on the firewall. This way the firewall sees the originating IP inside, and has a public IP (or any number of IPs from your /24) on its outside.
Yes your router will be out on the internet, but that’s where they live. You should harden it appropriately (turn off services, etc.).
I have a similar setup to what i describe above. I also have an ACL inbound on the router WAN interface to limit what traffic can get to my firewall. So in effect i am using the router as a bit of a dumb firewall in front of the firewall. It drops OBVIOUSLY bad/undesired traffic before the firewall even sees it, where the firewall can do more detailed inspection, etc.
If you’re running VOIP or something like that on the external router, i’d suggest maybe not doing that (and move VOIP to another router behind your firewall) or make sure to be careful to protect it with ACLs.
You should probably be doing NAT on the firewall (and not the router) anyway; the firewall will likely have more intelligent NAT-fixup code in it to make various NAT-unfriendly protocols work better.
Do you even need the router at all? What job is it doing that your firewall can’t/won’t do for you (e.g., CUBE voip gateway, etc.)? If your answer is “nothing” then just ditch the router entirely, use the firewall to connect direct to the ISP and your LAN(s), and simplify things like that.