Pentesting through FW, advice needed

[giorgio.casali at gmail.com (Giorgio Casali)]

Hi all, during a pentest I managed to shovel an unprivileged php
reverse shell on a nated host (host B) behind a checkpoint FW-1.

I then noticed there are several potential targets reachable only from
host B. I was wondering if there was a method to exploit them from my
pc (behind another FW that I manage) directly, without the need of
uploading metasploit on host B and exploiting the targets from there.

I was thinking about creating custom payload with a correct handler,
but don't know well how-to use the payload generated by msfpayload.

Thank in advance,

G.C.