I'm looking for a push in the right direction regarding two topics.

1.) Is it possible to setup a DMZ subnet strictly using one router? with one interface going to the DMZ, another going to the switch for the "secure" internal network, or is it better to use a router which the dmz is off of, and then another router connected to that router which hosts the network??!? It seems like in both situations the DMZ is pretty much strictly setup through use of ACL rules? am I correct?

2.) I'm familiar with the idea of nat inside and outside and forwarding ports. However what if I have 3 public IP addresses I'm attempting to NAT through, for example 150.xx.xx.1, 150.xx.xx.2, 150.xx.xx.3 and I want requests to those IP addresses to go to different internal computers... 10.x.x.1, 10.x.x.2, 10.x.x.3. It is somehow a use of multiple ip nat insides and outsides or rules?!? I'm a bit confused on that.

anyone that can help with one or the other, I really appreciate it! Thank you!