NAT address pools are not bound to any interfaces. The
following figure illustrates the behavior of the firewall when it
is performing proxy ARP for an address in a NAT address pool.
The firewall performs source NAT for a client, translating the
source address 184.108.40.206 to the address in the NAT pool, 220.127.116.11.
The translated packet is sent on to a router.
For the return traffic, the router does not know how to reach
18.104.22.168 (because the IP address 22.214.171.124 is just an address in the
NAT address pool), so it sends an ARP request packet to the firewall.
If the address pool (126.96.36.199) is in the same subnet as
the egress/ingress interface IP address (188.8.131.52/24), the firewall
can send a proxy ARP reply to the router, indicating the Layer 2
MAC address of the IP address, as shown in the figure above.
If the address pool (184.108.40.206) is not a subnet of an interface
on the firewall, the firewall will not send a proxy ARP reply to
the router. This means that the router must be configured with the
necessary route to know where to send packets destined for 220.127.116.11,
in order to ensure the return traffic is routed back to the firewall,
as shown in the figure below.