NAT address pools are not bound to any interfaces. The
following figure illustrates the behavior of the firewall when it
is performing proxy ARP for an address in a NAT address pool.
The firewall performs source NAT for a client, translating the
source address 10.1.1.1 to the address in the NAT pool, 192.168.2.2.
The translated packet is sent on to a router.
For the return traffic, the router doesn't know how to reach 192.168.2.2 (because that IP address
is just an address in the NAT address pool), so it sends an ARP request packet to the
firewall.
In our first scenario, when the NAT pool address (192.168.2.2) is in the same subnet as
the egress/ingress interface IP address (192.168.2.3/24), the firewall can send a proxy
ARP reply to the router, indicating the Layer 2 MAC address for 192.168.2.2 is
54:22:07:33:98:21, as shown in the figure above.
No Proxy ARP When the NAT Pool Address Isn't a Subnet of the Egress/Ingress
Interface
In our second scenario, the NAT pool address (192.168.2.2) isn't a subnet of an
interface on the firewall, so the firewall won't send a proxy ARP reply to the
router. This means that the router must be configured with the necessary route to
know where to send packets destined for 192.168.2.2, in order to ensure the return
traffic is routed back to the firewall, as shown in the figure below.