@Vladimir VPN will be setup on the ASA and the external interface of check point will be assigned a private IP address. NAT will also be configured on the ASA.

Some vendors recommend that the firewall behind another firewall be configured in layer 2 mode(bridge). Does this apply to check point?

My preferred architecture is to have layer 2 bridge in front of the addressable L3 device.

In your case,since ASA is directly accessible from the Internet, it is easier to run DDOS against (unless there is additional filtering performed on the border routers).

If you have a firewall/IPS in transparent bridge on the edge, you can drop a lot of stuff before it hits the device that actually has to accept connections.

Site-to-site and remote access VPN is not supported on ASA in transparent mode, so we cannot have the ASA in layer 2 bridge mode. To block unwanted traffic at the edge as you rightly pointed out, we might explore the option of enabling IOS zone based firewall on the edge router.

Kindly correct me if I am wrong, from what I have gathered so far from the responses here, its OK to  have the ASA and Check Point in routed mode.

Thank you.

Absolutely. I've just recently deployed it in exactly the situation you are describing.

FYI: if the Check Point piece is a cluster, you may have to add static routes to individual member's IPs pointing to the vIP of the cluster on next hop routers, if you want to make individual members reachable. Alternatively, there is a kernel parameter fix that allows you to achieve the same. There is a thread in CheckMates regarding this issue, if you'll have to look it up.