i'm pretty sure you can accomplish this with Destination NAT with PAT:
I think this will work -- a modified version of what we are using to forward SMTP to our email server
[edit security nat destination]
pool IronPort {
address 10.10.10.20/32;
pool emailServer {
address 10.x.x.20/32 port XYZ; ## Internal IP and port
}
rule-set dst-nat {
from zone untrust;
rule mail-dst-nat-SMTP {
match {
destination-address x.x.x.x/32; ## public interface IP here
destination-port 25; ## whatever port you want to forward
}
then {
destination-nat pool emailServer;
}
}
if this works please flag as solved to help anyone else that might need similar help.
EDIT - forgot to add - if the public IP is NOT the same as your public interface IP, then make sure to include the proxy-arp entry under [edit security nat proxy-arp]
good luck!
Will