Hi there,
Proxy arp is ONLY needed when you want to receive traffic for an IP which is not configured on the ingress interface but falls in the same subnet.
e.g.
Let interface address be 1.1.1.1/24 and you want to receive traffic for 1.1.1.10 . In this case, we will need a proxy-arp so that next-hop devices can forward traffic to this interface.
But if you are trying to receive a traffic for 2.2.2.10 on the interface 1.1.1.1/24 , you would NOT need proxy-arp. Rather you will need some routing protocol to export this route to your next hop so that they can forward it to you.
Coming back to your issue, I think the sessions are NOT failing due to NAT. They are failing because of the reverse route look up.
When the traffic arrives to your device on untrust interface , it is trying to access 65.x.x.x/32 which is being translated to 10.132.6.128/32.
But when the SRX looks up the return route, it would find that the 65.x.x.x subnet belongs to ADMIN_DMZ zone but the traffic originally arrived on untrust zone. This will cause the session to fail.
My potential solution will be to write a specific static route to 65.x.x.x/32 pointing towards the Internet gateway
OR
use a different IP from the subnet on the untrust interface.
Hopefully this will solve the problem.
Thanks!