Proxy arp is something that not all people understand well. Some devices are able to do it, other not, and other do it automatic (sometimes), etc....
Here i will give a brief overview of how juniper firewalls handle proxy arp:
As most of you know there are 5 solutions to do NATTING in juniper firewalls:
MIP: one to one (bi-directional)
DIP: many to one (uni-directional)
VIP: one to many (uni-directional)
Destination NAT (policy): one to one, one to many (uni-directional)
Source NAT (policy): many to one, one to one (uni-directional)
So this is a overview of the natting, know when will the firewall to proxy arp for these NAT addresses?
So you see that when using Destination nat you will have problem. Solution to solve this problem, ... place a static arp entry on higher level router, or when not in same network has the interface ... place a route to cluster ip of the juniper firewall.
Sometimes this isn't a solution, because the upstream router isn't managed by yourself. This means you need to be able to do proxy arp on firewall for these NAT addresses.
Well there is a hidden command "set arp nat-dst", which will do proxy arp for NAT addresses in a certain situation!!
When will he do it or not:
• The Destination NAT policy must be configured using the same source and
destination Layer 3 security zone. However, traffic that matches the policy
can then be sent to any Layer 3 security zone.
• The device does not respond to an ARP request if the Destination NAT IP is
in the same incoming subnet as a secondary IP address.
• In an HA environment, the device only supports the Destination NAT ARP
capability if using NSRP Active/Passive on interfaces that reside in VSD ID
• In ScreenOS 5.0r7 and below, the device does not respond to an ARP request
for a Destination NAT IP that is in the same subnet as the incoming
interface for a Destination NAT policy.
Hope this helps you all.