Destination NAT/Port NAT - Totally confused and in dire need of help

I've been getting my butt kicked by this - about 20 hours so far - and completely baffled.

I have an Amazon VPC with two subnets - Public and Private. Within the private subnets have two VM's.
I have an IPSEC tunnel between our office the the VPC at Amazon.

From our office network I can contact the two VM's via RDP without issue.

The problem I have is I also need to reach both of those VM's from outside our network for a few weeks.

I figured I could simply create a destination NAT rule that says traffic over X port gets directed to Y address over port Z

111.222.333.444:3387 -> 10.0.1.110:3389
(public IP of SRX)

Something like this:

create NAT destination pools for the two servers:
pool BPApplication {
address 10.0.1.110/32 port 3389;
pool BPApplication {
address 10.0.1.110/32 port 3389;

Create rule:

match
destination-address xxx.xxx.xxx.xx8/32; <-- Public IP on Juniper
destination-port 3387;
then
destination-nat
pool
BPApplication;

match
destination-address xxx.xxx.xxx.xx8/32; <-- Public IP on Juniper
destination-port 3388;
then
destination-nat
pool
BPSQL;

Following is the configuration I created, relevant to this need. It does not work and I have no idea why.

security {

nat {

destination {

pool BPApplication {

address 10.0.1.110/32 port 3389;

}

pool BPApplication {

address 10.0.1.110/32 port 3389;

}

rule-set rs1 {

from zone untrust;

rule r6 {

match {

destination-address xxx.xxx.xxx.xx8/32; <-- Public IP on Juniper

destination-port {

3387;

}

}

then {

destination-nat {

pool {

BPApplication;

}

}

}

}

rule r7 {

match {

destination-address xxx.xxx.xxx.xx8/32; <-- Public IP on Juniper

destination-port {

3388;

}

}

then {

destination-nat {

pool {

BPSQL;

}

}

}

}

}

}

}

policies {

from-zone untrust to-zone trust {

policy untrust-to-trust1 {

match {

source-address any;

destination-address BPApplication;

application any;

}

then {

permit;

}

}

policy untrust-to-trust2 {

match {

source-address any;

destination-address BPSQL;

application any;

}

then {

permit;

}

}

}

}

zones {

security-zone trust {

address-book {

address BPApplication 10.0.1.110/32;

address BPSQL 10.0.1.111/32;

}

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

bgp;

}

}

interfaces {

ge-0/0/1.0;

ge-0/0/2.0;

ge-0/0/3.0;

ge-0/0/4.0;

irb.20;

st0.1;

st0.2;

}

}

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

}

interfaces {

ge-0/0/0.0 {

host-inbound-traffic {

system-services {

dhcp;

tftp;

}

}

}

}

}

}

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet {

address xxx.xxx.xxx.xx8/29; <-- Public IP on Juniper

}

}

}

st0 {

unit 1 {

family inet {

mtu 1436;

address 169.254.46.118/30;

}

}

unit 2 {

family inet {

mtu 1436;

address 169.254.44.66/30;

}

}

}

}

routing-options {

static {

route 10.0.0.0/16 next-hop [ st0.1 st0.2 ]; <-- These are the IPSEC ports carrying traffic to the VPC

route 0.0.0.0/0 next-hop xxx.xxx.xxx.xxx; <-- ISP Router within our /29

}

applications {

application BPApplication-RDP {

protocol tcp;

destination-port 3387;

}

application BPSQL-RDP {

protocol tcp;

destination-port 3388;

}

}