Briefly, the only place I would suggest to use (bidirectional) NAT is on your external, public network. If the router is routing, rather than bridging, your external facing network is only attached to the router, and none of your servers would have an external address -- the mapping to Internet-facing addresses would be done by the router, and only the router.
---
J65nko reminds me that there are at least two "classic" DMZ topologies that might be considered, so I'll briefly describe them:
- DMZ subnet sits between two firewalls, an "inner" and an "outer."
- DMZ subnet resides in isolation via a single firewall.
While I personally prefer the dual firewall topology as I believe it offers a better defense in depth, either would provide a better defensive governance than you are currently deploying or considering among your solution-set.