It merely depends which firewall you would have. Most builtin firewalls are coupled with an NAT overload, so that's basically only internal-to-external traffic to be allowed. If yo uwould have a decent firewall, like a netscreen or a checkpoint or pix then it would depend on what traffic you allow. I don't see any problems in having a firewall in this setup you propose, although an IDS is preferred since alot of traffic is tunneled these days.
Concerning the VPN, I would terminate them in the untrusted side of the firewall and then allow traffic from the vpn to the trusted side through rules or access-lists. ANyway it really depends what firewall you have ...