You need to do the NAT for the web server on the incoming interfaces of both firewalls (in relation to the web server).
IOW, you need a NAT rule on gate1 (em1) that translates between the 88.99.100.x address and the 10.0.1.5 address for the web server. This handles all the traffic to/from the Internet.
Then you need a NAT rule on gate2 (bce1) that translates between the 88.99.100.x address and the 10.0.1.5 address for the web server. This handles all the traffic to/from the local network.
Better still is to implement proper split DNS, such that DNS requests from the Internet resolve to the 88.99.100.x address, and DNS requests from the local network resolve to a 192.168.4.x address (which is an alias on gate2 with 1-1 NAT for the web server).
|