[northlandboy]

I certainly won't lay claim to coming up with it. When I first started doing serious work with Check Point, it was on a network that had been very recently designed and deployed. This was around FP2 days. There wasn't much natting taking place on the other 4.1 systems I'd seen up until then.

The design of that network worked like that - private subnets to the external interfaces of the firewalls, and routes on the upstream routers for out NAT pools.

So since I started out working with that, I just assumed that that was how it always worked. Conceptually, it seemed very simple and obvious to me. It was only later I came across proxy ARP scenarios, and it just didn't make much sense to me. I couldn't see the point in configuring proxy ARPs, and having those addresses in front of the firewall. Far better to make them virtual I thought.

I think that it should be made clear in the documentation that this is a valid network setup - the docs tend to talk about proxy ARP. Particularly for big networks where you do a lot of NAT, the ability to just route another network for expansion is tremendously useful.