I'm installing two Juniper ISG 1000 firewalls in and A/P setup in our Web Hosting environment in front of a pair of loadbalancers. My question is should I use a MIP or policy NAT-dst for outside users to access internal websites from Untrust? What's the advantage of using one or the other?
MIP is bidirectional: Sessions created on the trust/dmz side will use the MIP's adress to nat behind. With nat-dst you need to src-nat the session initiated from inside. So it's up to you what you need. Only thing I can say: when a SMTP server is bebind the firewall use a MIP because you'll want to use an adress in a dns MX rerord to be used as source-ip to avoid cernain spamfilter to kill your mail...
Screenie. Juniper Ambassador, JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.