I think I know what's wrong. The MIP made the ssg respond to an arp request I think. A static route 18.104.22.168/29 pointing to .50 in the internetrouter should solve this. Also static arp's in the router could solve this. Proxy arping on the ssg can also work. In older versions we configured a DIP on the address we wanted an proxy arp for. In the latest version you can configure proxy arp. You can try to proxy arp the addresses on your /29 net on the untrust (e0 I believe) interface.
Hope this is clear.
From the 6.3 manual:
proxy-arp-entry get interfaceinterface proxy-arp-entry get proxy-arp-entry [ all ] set interface interface proxy-arp-entry ip_min ip_max unset interface interface proxy-arp-entry ip_min ip_max Imports traffic destined for an IP address range using this interface. Specify the IP range as follows: ■ ip_min—Specify the minimum IP address in the IP address range. ■ ip_max—Specify the maximum IP address in the IP address range. The <proxy-arp-entry> option can only be configured on the Layer 3 interface in Layer 3 mode. The administrator can configure no more than 256 proxy ARP entries per interface. The security device responds to ARP requests that arrive at this interface and the destination is in the proxy ARP entry IP range. TIP: Use <proxy-arp-entry> along with a destination translation policy. proxy-arp-entry
I don't think this config is possible. You need to configure the outbound interface when settingup a vpn. The termination point (and with this the IP address the other side has to connect to) will be the promary IP address of this interface. Appart from that I don't see the need for this config. Many VPN's can connect to the same interface/IP.
You misusing sub int I think. They are there for dealing with tagged traffic. But: why bot set blocking on trust zone, give accesspoint IP in secondary range you create on trust interface? Clients on wireless can't route over the firewall to wired hosts now....
Save your config to last-known-good every time you want to crate a new roolback config. When some goes wrong call sombode and let him/here type in exec rollback. That's In my opnion the easiest way when you're not using NSM.