Hi Raheel,
For the ASA role, you can make a very specific access-list only permitting this traffic through. Who will initiate the traffic, the NMS device? If so, then you will be going from a more secure (DMZ) to less secure network (outside). So your access-list would permit only the NMS talking with the outside router on a specific port that you use to manage the router.
thanks,
scott