[mcnallym]

If I understand you correctly then the Server is on your network behind a R65 box with one external dynamic IP address. Do you actually need to initate a connection from the server to the client, other then reply traffic to the clients request.

I would look at the SRV_REDIRECT function (look at http_mapped) for how to use this. That way rather than NATting the traffic it just redirects essentially port mapping the traffic rather then NAT as such.

VPN-1/FireWall-1 can perform Port Address Translation (PAT), and includes predefined Port Mapping Services. Connections are directed to the firewall module, accepted on a given port and translated to another, then routed to an internal server, when Port Mapping Services are defined and configured. This occurs transparently to users.

Procedure:

Configuring predefined TCP Port Mapping Services


Log into SmartDashboard.


Click 'Manage > Services'.


On the Services dialog box Click the drop down menu next to 'Show:', select 'User defined services' and choose the desired Port Mapping Service (e.g. http_mapped).


Click the 'Advanced' button.


In the 'Match' section configure the IP address of the internal server utilizing port mapping, and the mapped ports.

Example:

Default
SRV_REDIRECT(80,0.0.0.0,80)


Modified
SRV_REDIRECT(80,10.20.1.5,8080)


Click 'OK' and close all screens.


Configure the rule (see Rule Base configuration).

Rule Base Configuration

Source: Any
Destination: firewall_object
Service: Port Mapping Service (e.g. http_mapped)
Action: accept


Install the Security Policy.