Hello Chris,
NAT of any kind will only be possible with route based VPN and NOT policy based VPN because of the following :-
1. Policy based VPNs take up the proxy-id (interested traffic subnet) from the source-address/destination-address combination.
2. This proxy-id must match between the ASA & SRX to bring up the VPN. i.e. you will have to use the public IPs in these policy.
3. In Junos FLOW design, Destination NAT happens before policy lookup and Source NAT happens after policy look up.
a. This means if we apply Destination NAT to convert x.x.x.76 to 192.168.22.0/24 , it won't match the policy.
b. Also, Source NAT of traffic from staff zone will happen after the policy look up and hence won't match the policy.
Now lets see how I think it can be resolved.
First of all, you have only 1 public IP x.x.x.76 accepted as proxy-id on ASA for a /24 network. Therefore, my assumption is that in your network, the communication across the VPN is always being started by Staff users & it will never have a session initiated by the ASA end.
If this assumption is not correct, then we would need an equal number of IPs in the Public & Private subnet.
Now that we know that we only have to initiate the traffic from STAFF towards VPN, I would suggest you configure the following :-
1. Configure Route based VPN using proxy-ids or traffic-selector (from 12.1X46-D10 release). The proxy-ids will contain your pubic IPs as interested subnets.
2. Configure a static route for ASA side's "Interesting traffic" pointing towards st0 interface.
3. Configure a source NAT for all the traffic coming from STAFF zone and going into st0 interface to get NAT-ed to x.x.x.76 .
4. Configure your security policy to allow source-address 192.168.22.0/24 to talk to destination X.X.X.X/32 (CISCO side IP) .
This should take care of the traffic.
Hopefully this helped.
Thanks!