...

Well, it need not be accomplished by proxy-arp, for one. Then, who's saying the IP address that's being DNATed is in a local subnet of the firewall at all? I.e. the firewall could have two networks attached, 1/8 and 2/8. It could still be instructed to DNAT traffic to 2.1.1.1 to 3.1.1.1. No proxy-arp involved.

I read the man page for arp. It says that the kernel does automagic arp if a route exists between the subnets.

And...?

...

I'd ask for a /30 subnet to put the Cisco and the firewall (external interface) into, additionally to the /28 subnet for the DMZ and have the Cisco sysadmin configure the firewall as the gateway to that /28. The /30 subnet needn't have official addresses, BTW, in case that's a problem, because noone should need to send traffic to the firewall directly.

What about setting the cisco's default gateway for the 66.8.45.160/28 network to the firewall interface?

Number one, there is only one default gateway, also called the gateway of last resort. There is no subnet-specific *default* gateway. I don't think the Cisco would let you configure it's interface as 66.8.45.161/255.255.255.240 and then issue a route to that very subnet pointing at a gateway, since it knows that that subnet is directly attached. You can, however, split that subnet into smaller blocks and apply routes to those. More specific routes, i.e. ones with a larger number of bits in the subnet mask, take precedence over less specific routes. The easiest way to do this in your situation, where you don't have many hosts, is to issue host routes. Under no circumstances give the Cisco a different subnet mask than the Linux box. They won't be able to see each other if you do, as network and broadcast addresses don't correspond anymore. Cheers Tobias