There are a ton of ways to configure NAT for either inbound or outbound usage. I'll include a very basic one that does PAT (port address translation) that you can use on your MSR20 however note that its only one of MANY wanys to accomplish NAT.
http://www.h3c.com/portal/products___solutions/technology/security_and_vpn/technology_white_paper/200808/613642_57_0.htm describes many of the different methods that can be used to represent NAT (altough no examples on that whitepaper... blah)
# only overloading a single address. You could specify a range if you expect more than 60k connections through this
# NAT device. Note that even a single web page could temporarly use half a dozen connections to build the page.
#
nat address-group 1 206.123.99.226 206.123.99.226
#
# Only allow machines in the range of 10.1.1.1 - 10.1.1.191 to NAT outbound. Deny all others
acl number 2001 name authorized_nat_outbound
# First off, deny addresses in the range that are not authorized
rule 100 deny source 10.1.1.192 0.0.0.63 logging
#
# ...then authorize the rest of the block
rule 110 permit source 10.1.1.0 0.0.0.255
#
# Deny everything else
rule 999 deny logging
#
acl number 3001 name inbound-from-public
#
# First off permit the VRRP protocol to be transmitted
rule 100 permit 112
#
# We know for a fact that we want to block out all "faked" transport packets from ever entering
rule 110 deny ip destination 10.0.0.0 0.255.255.255 logging
rule 120 deny ip destination 172.16.0.0 0.15.255.255 logging
rule 130 deny ip destination 192.168.0.0 0.0.255.255 loggin
#
# ... additionally deny anything sourced from an RFC1918 address
rule 140 deny ip source 10.0.0.0 0.255.255.255 logging
rule 150 deny ip source 172.16.0.0 0.15.255.255 logging
rule 160 deny ip source 192.168.0.0 0.0.255.255 logging
#
# Specifically allow some "router initiated things" to return to the router (such as NTP)
rule 200 permit udp destination 206.123.99.26 0 destination-port eq ntp
#
# Allow specific protocols inbound to our site
rule 300 permit tcp established
rule 310 permit tcp destination 206.123.99.26 0 destination-port eq 80
rule 320 permit tcp destination 206.123.99.26 0 destination-port eq 443
#
# Allow various types of ICMP probing or ICMP returns to occur. This
# should be reviewed for security concerns vs operation validation needs.
#
rule 950 permit icmp icmp-type echo
rule 955 permit icmp icmp-type echo-reply
rule 960 permit icmp icmp-type port-unreachable
rule 965 permit icmp icmp-type net-unreachable
rule 970 permit icmp icmp-type ttl-exceeded
rule 975 deny icmp logging
#
# By default, everything else is invalid
rule 999 deny ip logging
#
interface Ethernet 0/0
port link-mode route
description Public Connection to the Internet
firewall packet-filter name inbound-from-public inbound
nat outbound static
nat outbound 2001 address-group 1
nat server protocol tcp global 206.123.99.26 www inside 10.1.1.16 www
nat server protocol tcp global 206.123.99.26 443 inside 10.1.1.16 443
ip address 206.123.99.26 255.255.255.0
#
interface Eternet 0/1
port link-mode route
ip address 10.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 206.123.99.1
#
ntp-service source-interface Ethernet 0/0
ntp-service unicast-server 72.26.198.240
ntp-service unicast-server 38.229.71.1