ScreenOS Firewalls (NOT SRX)
Reply
Regular Visitor
magman
Posts: 9
Registered: ‎04-10-2009
0

MIP vs Policy NAT-dst

I'm installing two Juniper ISG 1000 firewalls in and A/P setup in our Web Hosting environment in front of a pair of loadbalancers.  My question is should I use a MIP or policy NAT-dst for outside users to access internal websites from Untrust? What's the advantage of using one or the other?
Distinguished Expert
Screenie
Posts: 1,085
Registered: ‎01-10-2008
0

Re: MIP vs Policy NAT-dst

MIP is bidirectional: Sessions created on the trust/dmz side will use the MIP's adress to nat behind. With nat-dst you need to src-nat the session initiated from inside. So it's up to you what you need. Only thing I can say: when a SMTP server is bebind the firewall use a MIP because you'll want to use an adress in a dns MX rerord to be used as source-ip to avoid cernain spamfilter to kill your mail...
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.