If you want to use the same subnet on your external/untrust interface and in your DMZ zone, you're going to have to split that subnet and set up routes.
Unfortunately, with a /29 subnet, if you split that into 2 /30s you only get 2 useable IPs per subnet. You would need 3 IPs in your DMZ, one for the SRX interface, and 2 for your Direct Access server interfaces.
If the SRX is in layer 3 mode, then in order for any security policies to exist, based on Zones, then routing decisions need to happen on the SRX. It's security processing is based on routing decisions. You may need to ask for some more address space from your ISP, so that you can split up your subnets and do the necessary routing at your SRX.
Your other option would be to look into using the device in transparent mode. For branch SRX, this was introduced in 11.2 software, I believe.