Proxy ARP for NAT Address Pools
Focus
Focus

Proxy ARP for NAT Address Pools

Table of Contents

Proxy ARP for NAT Address Pools

NAT address pools are not bound to any interfaces. The following figure illustrates the behavior of the firewall when it is performing proxy ARP for an address in a NAT address pool.
The firewall performs source NAT for a client, translating the source address 10.1.1.1 to the address in the NAT pool, 192.168.2.2. The translated packet is sent on to a router.
For the return traffic, the router does not know how to reach 192.168.2.2 (because that IP address is just an address in the NAT address pool), so it sends an ARP request packet to the firewall.
In our first scenario, when the NAT pool address (192.168.2.2) is in the same subnet as the egress/ingress interface IP address (192.168.2.3/24), the firewall can send a proxy ARP reply to the router, indicating the Layer 2 MAC address for 192.168.2.2 is 54:22:07:33:98:21, as shown in the figure above.

No Proxy ARP When the NAT Pool Address Isn't a Subnet of the Egress/Ingress Interface

In our second scenario, the NAT pool address (192.168.2.2) isn't a subnet of an interface on the firewall, so the firewall won't send a proxy ARP reply to the router. This means that the router must be configured with the necessary route to know where to send packets destined for 192.168.2.2, in order to ensure the return traffic is routed back to the firewall, as shown in the figure below.