NAT address pools are not bound to any interfaces. The
following figure illustrates the behavior of the firewall when it
is performing proxy ARP for an address in a NAT address pool.
The firewall performs source NAT for a client, translating the
source address 10.1.1.1 to the address in the NAT pool, 192.168.2.2.
The translated packet is sent on to a router.
For the return traffic, the router does not know how to reach
192.168.2.2 (because that IP address is just an address in the NAT
address pool), so it sends an ARP request packet to the firewall.
If the address pool (192.168.2.2) is in the same subnet
as the egress/ingress interface IP address (192.168.2.3/24), the
firewall can send a proxy ARP reply to the router, indicating the Layer
2 MAC address of the IP address, as shown in the figure above.
If the address pool (192.168.2.2) is not a subnet of an interface
on the firewall, the firewall will not send a proxy ARP reply to
the router. This means that the router must be configured with the
necessary route to know where to send packets destined for 192.168.2.2,
in order to ensure the return traffic is routed back to the firewall,
as shown in the figure below.