Hi wq,
to allow RDP, ping etc. you just need to create a security policy from untrust to trust with the internal IP as the destination-address in the policy. If you look at the order of packet handling in the junos flow module below you can see that static and destination nat is handled before policies - so the only place you need to define the public IP is in nat (and proxy-arp...).
Hope this helps.
