A bit more background on the problem.
We have a storage monitoring server that requires a bunch of inbound traffic to it coming from public IP space. So there are lots of firewall rules that need to perform dst-nat to it (using a MIP). That server then reaches out to our storage nodes to pull stats. But the software sends along the IP you are trying to connect to, which interfers with NATing - the software complains that you are trying to connect to the public IP that it doesn't show locally defined (since those nodes are using MIPs on the far-end).
I did find a work-around, by using two MIPs on the firewall local to the storage monitoring server.
One MIP for the storage monitoring server itself. Defined on the Untrust interface.
One MIP for each storage node it needs to monitor. Defined on the local interface to the storage monitoring server. This maps private to public.
Then added a firewall rule from Internal > Untrust with no NATing specificed (since MIP overrides anyway) and it works. Both source and destination NATing working properly.