ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
magman
Regular Visitor
magman
Posts: 6
Registered: ‎04-10-2009
0

MIP vs Policy NAT-dst

Options

‎09-17-2009 05:38 PM

I'm installing two Juniper ISG 1000 firewalls in and A/P setup in our Web Hosting environment in front of a pair of loadbalancers.  My question is should I use a MIP or policy NAT-dst for outside users to access internal websites from Untrust? What's the advantage of using one or the other?
Message 1 of 2 (2,260 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 945
Registered: ‎01-10-2008
0

Re: MIP vs Policy NAT-dst

Options

‎09-18-2009 11:59 AM

MIP is bidirectional: Sessions created on the trust/dmz side will use the MIP's adress to nat behind. With nat-dst you need to src-nat the session initiated from inside. So it's up to you what you need. Only thing I can say: when a SMTP server is bebind the firewall use a MIP because you'll want to use an adress in a dns MX rerord to be used as source-ip to avoid cernain spamfilter to kill your mail...
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 2 of 2 (2,238 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.