Sort of related ... this is an area we are addressing at Tenable with the Lightning Proxy.
There are two issues here -- one is the 'bypassing' of the router or firewall, and the other is how to handle RFC1918 addressing. Our approach with the Proxy is to allow customers to place as many Nessus scanners as they want behind a firewall/router. To do this, they would need to allow an inbound TCP connection through the firewall from the Lightning Console. This is a very 'nice' thing to do as many network devices do not take being port-scanned well.
The Proxy also handles "translation" of NAT addresses. For example, lets say someone has a Nessus scanner behind a NAT firewall on 192.168.0.10, but they connect to it on the 'real' IP address side at 64.24.33.22 on port 1242 through a port forward. There may not be a route to the 192.168.0.0/24 network, but this internal network can still be addressed through a Proxy. The Proxy is able to associate the nessusd at 64.24.33.22 with the internal address range.
Ron Gula Tenable Network Security http://www.tenablesecurity.com
