I could be wrong, but I don't think it's possible to - or at the very least, feasible to - make the machines communicate via different, NATted IP if they are on the same subnet. Generally, devices will only hit the firewall if there is no local route to the host. (OK, anything is possible in the *nix world, but Windows would definitely be more difficult.)
That's probably why your firewall isn't much help on any traffic between them.
The easiest way to do that is create a new private network so that you can have the firewall route between the hosts.
Net A: 10.10.10.x/24 : SrvA @ 10.10.10.10 --> FW-NAT to x.y.z.197
Net B: 10.10.11.x/24 : SrvB @ 10.10.11.11 --> FW-NAT to x.y.z.203
THat way your firewall rules can govern traffic between the servers and inbound from other hosts.
You would need to change your local routing so the firewall doesn't try to route directly between Net A & Net B, too.
Just an idea, hope it helps.