[coldark]

for an upstream router to be able to deliver traffic which has a Destination address of "NAT_IP" to the required location (your CheckPoint firewall) you must have one of two conditions configured. Either:

1) A route on the upstream router - which Routes NAT packets to the FW or
2) A proxy arp configured on the firewall - which makes the firewall respond to arp requests from the router.

Lets say that you have not got a route on the router, which will forward the packet, then the following happens:

a) The Router looks in it's own arp cache to see where it should send the Packet Addressed to NAT_IP.
b) If the arp cache doesnt have the information, the router puts out an arp request - asking "who has NAT_IP address - tell me"
c) we need your firewall to respond to this arp request - so we configue your firewall to do that by configuring a "Proxy Arp"
d) if the proxy arp is configured correctly - when the Router Arps, your firewall should respond saying "Me - send it to me - on this MAC ADDRESS (of your ext NIC)"