ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

MIP vs Policy NAT-dst

09.17.09   |  
‎09-17-2009 05:38 PM
I'm installing two Juniper ISG 1000 firewalls in and A/P setup in our Web Hosting environment in front of a pair of loadbalancers.  My question is should I use a MIP or policy NAT-dst for outside users to access internal websites from Untrust? What's the advantage of using one or the other?
1 REPLY
ScreenOS Firewalls (NOT SRX)

Re: MIP vs Policy NAT-dst

09.18.09   |  
‎09-18-2009 11:59 AM
MIP is bidirectional: Sessions created on the trust/dmz side will use the MIP's adress to nat behind. With nat-dst you need to src-nat the session initiated from inside. So it's up to you what you need. Only thing I can say: when a SMTP server is bebind the firewall use a MIP because you'll want to use an adress in a dns MX rerord to be used as source-ip to avoid cernain spamfilter to kill your mail...
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.