Proxy ARP for NAT Address Pools

NAT address pools are not bound to any interfaces. The following figure illustrates the behavior of the firewall when it is performing proxy ARP for an address in a NAT address pool.
nat_proxy_arp.png
The firewall performs source NAT for a client, translating the source address 10.1.1.1 to the address in the NAT pool, 192.168.2.2. The translated packet is sent on to a router.
For the return traffic, the router does not know how to reach 192.168.2.2 (because that IP address is just an address in the NAT address pool), so it sends an ARP request packet to the firewall.
  • If the address pool (192.168.2.2) is in the same subnet as the egress/ingress interface IP address (192.168.2.3/24), the firewall can send a proxy ARP reply to the router, indicating the Layer 2 MAC address of the IP address, as shown in the figure above.
  • If the address pool (192.168.2.2) is not a subnet of an interface on the firewall, the firewall will not send a proxy ARP reply to the router. This means that the router must be configured with the necessary route to know where to send packets destined for 192.168.2.2, in order to ensure the return traffic is routed back to the firewall, as shown in the figure below.
    nat_proxy_arp_no.png

Related Documentation