Hi,
Policy based NAT is exactly what you need. Using MIPs/VIPs you will not be able to meet all your requirements. I would suggest the following scenario:
1.Configure two DIP pools, each containing a single IP: a.a.a.a and b.b.b.b. As both IPs do not belong to the interface net the option "extended IP" should be used for their creation.
2. Configure two routes for these IPs through the dmz interface. The gateway field can be left blank.
3. Create two address objects a.a.a.a. and b.b.b.b in dmz zone.
4. Inbound Untrust-to-dmz policies can be configured in this manner:
Customer A --> a.a.a.a, dst-NAT to the private IP
Customer B --> b.b.b.b, dst-NAT to the same private IP
Any --> a.a.a.a & b.b.b.b, deny
5. Outbound policies dmz-to-Untrust:
Server --> Customer A, src-NAT to the first DIP
Server --> Customer B, src-NAT to the second DIP
Server --> Any, src-NAT to Untrust interface IP.
Hopefully this will work for you.