We have 16 IP addresses from our ISP, and are setting up a SonicWall Firewall. I'd like to have the SonicWall do NAT for the LAN, but act as a firewall only (no NAT) for the servers which are using some of the 16 addresses. How do I set this up? If I set the WAN's subnet to include the 16 IPs, the SonicWall won't route the traffic to the LAN interface. Should I set the WAN subnet to only include the ones we are dedicating for NAT, and then keep the others on the LAN?
Related point: How can I set multiple IP addresses for a SonicWall LAN interface?
CLARIFICATION: The servers are not NAT'd; they're using their public IPs directly.
As Tom suggested in the comments, what you need to do is setup a static 1:1 NAT for your (I hope) DMZ'ed public-facing servers. Your source NAT (many-to-one likely) will allow your LAN subnet to NAT out as one of your /16 accordingly.
For example:
By setting up your LAN and your DMZ networks on separate subnets (whether you use VLANs or a separate interface on your firewall; it should have a "DMZ" or "Optional" interface), which are routed and filtered by your firewall, you can now setup 1:1 NAT to statically assign a DMZ address to a public address, but also have filtering setup to permit inbound traffic from the Internet and from your LAN (and vice-versa, say if one of your servers needs to talk to a Domain Controller internally) on only the ports and source IP addresses you wish.
To the rest of the world, your servers appear to be on the "outside", but they're really isolated to/from the Internet and to/from your LAN, improving security by allowing you to create inbound rules for Internet traffic but also outbound rules to say only permit a Webserver from accepting established inbound 80/443 connections, but not allowing it to initiate outbound connections to any TCP/UDP port (and thus adding a layer of defense against zombified botnet traffic, or spam bots, etc. should your Webserver because compromised).
If your servers are NOT behind your firewall, you get no benefit of firewalling, centralized firewall logging, etc. and that's not a Good Thing.
Digging a bit further (and taking a step back to think about this), you could do a transparent subnet gateway with proxy ARP as described in RFC 1027 and also in this KB document from SonicWall. I'm not sure if your firewall is one of the supported models, but this should work for you.
EDIT: depending on what you're doing, you might need to use Layer 2 Bridging mode vs. Transparent mode; see this document for a comparison of the two.