Static NAT and ARP/Routing Issues

Keep in mind that NAT gateways need to reply to Address Resolution Protocol (ARP) requests for NAT-mapped global addresses under their administrative authority. In the case of such pool addresses, the outside gateway interface and the access router's inside interface share the same broadcast domain, ARP is used, and the NAT gateway is required to reply on behalf of the static address pool. This behavior can be accomplished by adding static ARP entries or, even better, alias interface addresses. Most of the time, the firewall/NAT software takes care of this by itself, though.

In the case of ordinary routing such as in Figure 15-1, remember to add explicit routes for NAT pools on screening/access routers toward the NAT engine. In that case, the pool is routed, and this is no longer an ARP issue. On some implementations, however, it might be necessary to add an explicit route for static mappings from the outside to the inside address; others handle this automatically. Now you know the two showstoppers to look out for in case of problems.

Figure 15-1. Generic NAT Architecture for Corporate Networks

[View full size image]