The thing is that normally it works like this:
user -> forwarder -> server
- user contacts forwarder for a service that is actually running on server
- DNAT replaces the destination 'forwarder' with the real destination IP 'server' and sends the packet on
- the reply is sent with source 'server' and destination 'user'
- the forwarder replaces source 'server' with its own IP and sends it on
- user thinks it's talking to forwarder and is expecting source address 'forwarder' in the reply packet, so it all works out
The only way I can see it work in your case is if:
- the cisco rewrites port 80 traffic for any destination to have destination 'forwarder'
- the cisco rewrites the source address of reply packets to match the original destination (if this isn't the case, you can stop reading
- the forwarder has these lines:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 172.30.5.88 --dport 80 -j DNAT --to 172.20.4.20:8002
iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 172.20.4.20 --dport 8002 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.30.5.88