We've the following setup:

1.a ---+
+---nat.a---Internet---nat.b---1.b
2.a----+

* nat.a and nat.b are NAT routers.

* nat.a:2222 is forwarded to 1.a:22

* nat.a is a machine with SSH access.

Our goal: We want to access 1.b from 2.a with the of reverse port
forwarding.

What I tried:

Method A: On 1.b, I ran the following command (names were, of course,
different):

ssh -R3333:localhost:22 nat.a

Now, I can connect from 2.a to 1.b as follows:

ssh -p3333 some_user@nat.a

Method B: On 1.b, I ran the following command:

ssh -p2222 -R3333:localhost:22 nat.a

Now, I tried connecting from 2.a to 1.b as follows:

ssh -p3333 some_user@1.a

This, however, failed:

ssh: connect to host 2.a port 3333: Connection refused

However, what works is connecting from 1.a to 1.b by issuing the
following command on 1.a:

ssh -p3333 some_user@localhost

Note that there is *no* firewall active on 1.a.

Any idea why method B for accessing 1.b from 2.a may be failing? It'd be
our preferred method since 1.b:22 would then not be accessible from the
Internet.

I must be missing something obvious. So far, I didn't find anything
interesting in the logs.

--
Felix E. Klee