Here is the network structure.
I have been allocated 48 Public IP addresses out of a C class subnet by my ISP. The mask we are using is /24.
I have two sites which both have their own firewalls. The first site has an last octet address of .33/24 and the secondary site has .32/24. The firewall does NAT the private address space on the LAN
Our clients get assigned an IP address when they join us in building 1 and we create a NAT rule to point that to their private IP. After a period of time they move to building 2. At this time I would remove the Public IP address off firewall 1 and enter it in firewall 2 pointing to their new private address space within building 2.
The issue I am having is that some of the original IP addresses I was allocated are not moving. What I mean by that is that if you try to connect to them from the outside world it is The first site firewall who is handling the request. Yet it has no reference to that public IP address anywhere in its configuration. I suspected that there was a Static route set-up in my ISP's configuration but the assure there is not.
The question is...
What condition makes a firewall answer an arp request positively. Is it based on the IP addresses defined in the NAT table or is it by the subnet defined on the WAN interface?