NATD and Address Redirection

[Jim Durham]

I'm wondering about the characteristics of the redirect_address option 
of natd. I tried this on -questions, but no one replied, so I thought 
I'd ask on here, hoping to find folks more familiar with kernel 
mechanisms here.

Consider a FreeBSD NAT "gateway" between a public IP on one network 
interface and a private "LAN" address on the 2nd interface serving a 
group of windows machines on the LAN with private IPS.

We wanted to allow outside access to one of the LAN machines.

According to the documentation, as I read it, redirect_address sets up 
a "static NAT" which is symmetrical between a public address on the 
outside interface of a FreeBSD machine and a machine on a private IP 
attached to the "inside" or "LAN" network interface. 

The procedure we used was to alias a 2nd public address to the outside 
interface and use a redirect_address statement in natd.conf to 
redirect connections to the new public IP to the inside machine.

This doesn't seem to be symmetrical.  You can ping the inside machine 
from outside using the new address and if you connect outwards from 
the inside machine, the outside world sees the connection as coming 
form the new public IP. However, a test running VNC server on the 
inside machine and connecting from outside does not work. You can 
connect to the inside machine and it sees mouse and keyboard, but the 
virtual screen does not work. It seems that the connection works 
properly redirecting inward but not outward. VNC disconnects in about 
a minute.

If you connect to the inside machine using the -via option of VNC to 
build an encrypted tunnel to the FreeBSD gateway and then connect to 
the inside machine directly, it works properly, so it doesn't appear 
to be a VNC problem.

I'm questioning whether the connection is really symmetrical?

-Jim