Anyone ever use proxy arp like this...

[dfwboiler]

So....
Problem is I've got someone submitting requests to new NATs on the firewall trying to mimic a current proxy arp setup.
Here's the info on proxy arp that's working.

network: 200.200.200/24
firewall interface eth1: 200.200.200.5/24

Now, switch between network and firewall is set to forward all traffic to the firewall. So hosts on 200.200.200/24 do NOT talk to each other.
Firewall proxy arps and then NATs both the source and destination.
In other words, firewall will see traffic from 200.200.200.55 going to 200.200.200.61. It will proxy arp for .61, and then NATS both src and dst and sends it out eth3.

Now, they're trying to do the same on eth1 with a 100.100.100/24 network. This time it goes through a switch and then a router before going to the firewall.
Traffic flow:
100.100.100/24 >> switch configured to send all traffic to router >> router (firewall facing interface 200.200.200.3/24) >> firewall (router facing interface 200.200.200.5/24)
Again, they want the firewall to arp for addresses on 100.100.100/24 and then to NAT the src and dst. Now, I can't proxy arp for 100.100.100/24 because my interface is 200.200.200.5/24.


So, is their second scenario even possible? And out of curiosity, have you ever setup something like in the first scenario?

[dsb.nepo]

never tried such a setup

Quote:

Again, they want the firewall to arp for addresses on 100.100.100/24 and then to NAT the src and dst. Now, I can't proxy arp for 100.100.100/24 because my interface is 200.200.200.5/24.

What Platform/OS is this firewall running?

With splat (verified R60-R65) there is a interesting solution to do proxy arp,
this is described in CluserXL_UserGuide (search for 'Example of Cluster Addresses on Different Subnets' or 'local.arp')

Quote:

When using static NAT, the cluster can be configured to automatically recognize the
hosts hidden behind it, and issue ARP replies with the cluster MAC, on their
behalf. This process is known as Automatic Proxy ARP. If you use different subnets
for the cluster IPs, this mechanism will not work, and you must configure the proxy
ARP manually. This is done by creating a file called local.arp, under the firewall's
configuration directory ($FWDIR/conf). In SmartDashboard, uncheck Automatic proxy
arp.
Each entry in this file is a triplet, containing the:
• host address to be published
• MAC address that needs to be associated with the IP address
• unique IP of the interface that responds to the ARP request.