Checkpoint HELP!!! Private IP addresses on the outside???

I'm trying to set up a solution that will allow an external vendor to connect to our internal network (two systems only).  Here's the question, the way that I have set it up doesn't work and I think that it has to do with the way that i've set up the ip addresses/VLANs.  Here's the scenario, I have a point to point connected by two 2600's (this works fine, both routers can communicate on the serial port without any problems) on the end of my 2600 I'm connecting to a Cisco switch and from there into an interface directly connected to my Checkpoint firewall.  The connection between the serial interfaces on both routers and the firewall, is on a 10.105.105.xxx network and the customer traffic is being natted to a 10.106.106.xxx network (there's a one to one translation happening, 12.4.xxx.xxx --->10.106.106.xxx).  The connection between the switch and the checkpoint is trunked for any VLAN and the port on the switch that router connects to is configured for VLAN 106.  So here's a breakdown,

Cisco 2600 ----> Cisco 2600 ----->Cisco 3500 switch --->Checkpoint FW---->internal net
(vendor)               (me)                 gigabit0/1 - trunk        int - 10.105.105     10.106.106
s0/0-10.105.105   e0-10.105.105     f0/1-vlan 106 dot1q
e0-12.4.xxx.xxx     s0/0-unnumbered

From my internal netwok, I can see the router on my end but not my vendor's router (this could have something to do with the Natting, not sure).  I can't, however, see the vendor's router.

Can Checkpoint pass dot1q traffic?  Is there a better way of doing this?