Here's my routing table
trust-vr
IP/Netmask Gateway Interface Protocol Preference Metric
*192.xxx.xx.0/24 ethernet1 C
*192.xxx.xx.1/32 ethernet1 H
*172.zzz.zzz.0/24 ethernet2 C
*172.zzz.zzz.1/32 ethernet2 H
*150.yyy.yyy.yyy/32 ethernet3 C
*150.yyy.yyy.yyy/32 ethernet3 H
0.0.0.0/0 150.aaa.aaa.aaa ethernet3 C 100
*27.bbb.bbb.bbb/32 ethernet4 C
*27.bbb.bbb.bbb/32 ethernet4 H
*0.0.0.0/0 10.2cc.ccc.ccc ethernet4 C 50
ethernet1 and ethernet 2 are internal trust
ethernet3 is ADSL (static IP), ethernet4 is VDSL (dynamic IP) are external untrust
* is active route.
There are no routes defined for source ips.
All VIP are on ethernet3 (the netscreen25 only has VIP on ethernet3)
incoming packets on ethernet3 on the 150.yyy.yyy.yyy should go to a server on the 192.xxx.xxx.0 (ethernet1) subnet. I only require VIP on one interface.
note though, anything from the internal networks trying to get to our internal server via the external URL make it to the server looping back through the firewall.