08-07-2012 12:25 AM
reverse-nat configuration has potential security risk and it is advised to use dynamic-nat feature instead. Then, you don’t need to use “port default” configuration. The security risk is, all of the client traffic destined for the vip will go to real servers although you don’t want to do that. Typically, reverse-nat is used when you want traffic from real servers to go through ServerIron with its source IP address replaced by VIP. With dynamic-nat, you don’t need to bind port default, and vip will only accept ports defined under vip configuration.