Two basic solutions, but be aware (be very aware) that whatever you do
will reduce the security of your firewall. The internal servers may
end up as effectively unprotected.
1) Give selected internal machines real as well as private IP addresses
and make the firewall "leaky" so packets to those machines can go
through.
A little bit of fiddling on the internal routing with two logical
networks on the same physical cable and selected machines having
more than one IP address but it works. You can even filter which
external machines can get to which internal machines and for which
services.
2) As you suggested, IP aliases on the firewall but then you have to
get the packets from the firewall to the internal machines. You
need userspace plugins to accept the connection on the firewall and
open a second connection from the firewall to the internal servers.
The plugins have to reformat the packets they receive from the
external connection and forward the result over the internal
connection. How easy this is depends on the services you want to
provide. Sensible connections like telnet, pop, nntp are not a
problem, the data does not have to be reformatted, just forwarded.
The protocols that include IP addresses or host names (ftp, http)
are more of a problem, the data packets have to be rewritten before
forwarding, which is why IP masq had so much hassle with ftp.
The TIS FireWall ToolKit (fwtk, http://www.tis.com) has a reasonably
secure set of plugins, although I do not like their new licence
policy. They may work for the services you want to provide, they
may not. There is also a project to develop free firewall
utilities, see http://www.inka.de/sites/lina/freefire-l/