I am about to get an express route connection put in from a customer network with a fixed set of IP v4 addresses, lets say 10.253.253.64/27. I need to map specific IP addresses from this range to different services in different subscriptions with their own Virtual networks.

I will have the expressroute connection in it's own Subscription "ER" (Virtual network address space 192.168.3.0/23) and the services in other seperate subscriptions "SUB1" (Virtual network address space 192.168.100.0/23) and "SUB2" (Virtual network address space 192.168.200.0/23)

1) When configuring Azure Private peering in expressroute I would expect to get the ASN and VLAN from the provider, but do I use 2 smaller subnets of the 10.253.253.64/27 range in the Azure primary and secondary subnet or other completely different private subnets?

2) Once I have peered the Virtual networks into the ER address space they show up under peered virtual network address space in the ER Virtual network address space.

3) I can connect outbound through expressroute from VM1 (192.168.100.194) on SUB1 and VM2  (192.168.200.194) on SUB2

4) How do I NAT 10.253.253.70 inbound to VM1 192.168.100.194  and NAT 10.253.253.71 to VM2 192.168.200.194 on Port 3389.

If it needs Azure firewall to do this to I put it in the ER SUB or a firewall in each of the SUB1 and SUB2 subscriptions?