If you apply the fwd vip to all VLAN's, then anybody coming in to the front side of BIG-IP can get forwarded to the internal network, and any server on the inside can also initiate connections outbound to any destination. If you don't want to allow outbound connections then you could only enable the forwarder on the external VLAN. It basically depends on what your definition of "safe" is as to how granular you want to be about that. :-)
You'd still probably need the static route because it (or the VPN router) doesn't know where that internal network is, so yes the def gw on the F5 will take care of the outbound but inbound won't know how to get to the internal network through the BIG-IP if you don't route it there.
NAT'ing: you map an address on the external VLAN's IP range to one of the boxes on the inside VLAN. Not sure from your description whether that's private IP or not. There's no port restrictions on NATs so I don't consider them any "safer" than the forwarding vip, and they can introduce problems with Active Directory and Windows file sharing if you are trying to do any of that across the BIG-IP. So that's why I favor the forwarding vip approach. If those aren't issues for you then it's a coin toss.
Denny