[coldark]

You have fixed this problem using a route on the upstream router which forces packets addressed to the Nat address onto the FW Ext I/F. This is fine as long as you have control of the upstream router.

If you want to use the arp method however, in my experience on SPLAT it is not enough to just add the arp entry, you additionally have to put a Static Route on the Firewall which routes the NAT address to the internal next hop (this may be the actual address of the internal box that you are NATting for).

BTW - the reason it works with Automatic Nat rules is that, with Automatic NAT, FW-1 automatically arps - this is not true of manual NAT - check this in the Smart Dashboard GUI - Policy Menu > Global Properties > NAT you will see that there is a check box for automatic arp under Automatic NAT - but it is missing under Manual NAT.