[dfwboiler]

So....
Problem is I've got someone submitting requests to new NATs on the firewall trying to mimic a current proxy arp setup.
Here's the info on proxy arp that's working.

network: 200.200.200/24
firewall interface eth1: 200.200.200.5/24

Now, switch between network and firewall is set to forward all traffic to the firewall. So hosts on 200.200.200/24 do NOT talk to each other.
Firewall proxy arps and then NATs both the source and destination.
In other words, firewall will see traffic from 200.200.200.55 going to 200.200.200.61. It will proxy arp for .61, and then NATS both src and dst and sends it out eth3.

Now, they're trying to do the same on eth1 with a 100.100.100/24 network. This time it goes through a switch and then a router before going to the firewall.
Traffic flow:
100.100.100/24 >> switch configured to send all traffic to router >> router (firewall facing interface 200.200.200.3/24) >> firewall (router facing interface 200.200.200.5/24)
Again, they want the firewall to arp for addresses on 100.100.100/24 and then to NAT the src and dst. Now, I can't proxy arp for 100.100.100/24 because my interface is 200.200.200.5/24.


So, is their second scenario even possible? And out of curiosity, have you ever setup something like in the first scenario?