I have observed a Palo Alto do the following:
Original Source: Any -> Original Destination: Some subnet or IP -> Translated Source: outgoing Interface (or whatever IP you like) [Hide] .. Translated Destination: Original.
As I'm sure everyone here who's experienced, if you try this in a Check Point, it dies on Verify..
Who does PhoneBoy need to sleep with to get this functionality into Check Point Firewall-1 ???
and yes.. an ASA can do this too... and probably IPtables..
Publicly Available service; or Extranet service.. but the firewall, or path back to the firewall, is not the default gateway where the server is located.