Many thanks for your response. I've got it working but I'd like to verify my config and potentially help someone else.
I have my untrust (public) interface on e0/0. My ISP gave me a block of IPs on /29.
For example, my interface IP is 100.1.1.2/29. My NAT DST will be used with 100.1.1.3. The internal server IP will be 192.168.1.100.
Setup ARP:
set interface ethernet0/0 proxy-arp-entry 100.1.1.3
Add address:
set address untrust server-pub 100.1.1.3/32
Policy to allow IKE:
set policy from untrust to untrust any server-pub IKE nat dst ip 192.168.1.100 permit
Policy to deny any other traffic:
set policy from untrust to untrust any server-pub any nat dst ip 192.168.1.100 deny
Seems simple enough. Does that look legit?