Configuring Address Objects; Configuring Protected Resources; Configuring Shared Nat Objects - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Copyright © 2010, Juniper Networks, Inc.
NAT objects
User objects
The following sections detail how to configure each component; after you have created
a component, you can use it to create your VPN.

Configuring Address Objects

You must create address objects to represent your network components in the UI. For
details on creating and configuring address objects.

Configuring Protected Resources

You should determine your protected resources first to help you identify the devices you
need to include in the VPN. After you know what you want to protect, you can use VPN
Manager or manually configure your security devices to create the VPN. A protected
resource object represents the network components (address objects) and services
(service objects) you want to protect and the security device that protects them.
The address specifies secured destination, the service specifies the type of traffic to be
tunneled, and the device specifies where the VPN terminates (typically an outgoing
interface in untrust zone). In a VPN rule, protected resources are the source and destination
IP addresses.
When creating protected resources:
To protect multiple network components that are accessible by the same security
device, add the address objects that represent those network components to the
protected resource object.
To protect a single network component that is accessible by multiple security devices,
add multiple devices to the protected resource object. You must configure each device
to be a part of the VPN.
To manage different services for the same network component, create multiple
protected resource objects that use the same address object and security device but
specify a different service object.
If you change the security device that protects a resource, NSM removes the previous
security device from all affected VPNs and adds the new security device. However,
NSM does not configure the VPN topology for the new security device—you must
reconfigure the topology to include the new device manually.
For more details on creating protected resources.

Configuring Shared NAT Objects

For VPNs that support policy-based NAT, you must create one or more shared NAT
objects. A shared NAT object contains references to device-specific NAT objects, enabling
multiple devices to share a single object.
First, create a device-specific NAT object by editing the device configuration of each
security device member. Then, create a global NAT object that includes the device-specific
NAT objects. In the Object Manager, create a single shared NAT object to represent similar
Chapter 12: Configuring VPNs
563