In our scenario, we want the firewall to act as NDP
Proxy for the prefixes on devices behind the firewall. When the
firewall is NDP Proxy for a specified set of addresses/ranges/prefixes,
and it sees an address from this range in an ND solicitation or
advertisement, the firewall will respond as long as a device with
that specific address doesn’t respond first, the address is not
negated in the NDP proxy configuration, and the address is not in
the ND cache. The firewall does the prefix translation (described
below) and sends the packet to the trust side, where that address
might or might not be assigned to a device.
In this example, the ND Proxy table contains the network address
2001:DB8::0. When the interface sees an ND for 2001:DB8::100, no
other devices on the L2 switch claim the packet, so the proxy range
causes the firewall to claim it, and after translation to FDD4:7A3E::100,
the firewall sends it out to the trust side.