You can't have the controller-ip be the GE0/0/1 interface IP, while the GE0/0/0 IP is NAT'ed.
The NAT support in Clustering mandates that the it is the controller-ip that will need to be NAT'ed, and both private IP (controller-ip) and the public IP are configured in the cluster group profile. That is because of the nodelist sent to the RAPs that provides the mapping between the two.
It really depends on your Internet firewall NAT capabilities and whether it can NAT to an IP that is not directly connected like the IP on the GE0/0/1.
If it is the case, then GE0/0/1 would be the controller-ip NAT'ed to the public IPs.
The other option is to use GE0/0/0 as the controller-IP NAT'ed to the public IPs on the firewall, and configure the masterip command to use IPSec setup from the GE0/0/1 vlan. In such case, you do need to set the radius, syslog, snmp source-interfaces to be GE0/0/1 interface IP.
Hope that answers your questions.