NAT_S615
Entry ID: 109744660, V1.1, 08/2017
Siemens AG All rights reserved
Process flow (active connection establishment from PC to CPU)
All message frames from the VPN tunnel reach the SCALANCE S615 on subnet
VLAN1.
Using the definition in its NAT table, the SCALANCE S615 replaces the source IP
address with its own IP address (192.168.2.1) and sends the packet to the
appropriate node.
From the CPU’s perspective, all packets are from the local subnet VLAN1 to which
a direct reply is possible.
In all reply packets from the CPU to the PC, the destination IP address is
automatically replaced with the PC IP address.
The assignment is made based on the existing state in the firewall, there is no
manual assignment as with destination NAT.
Advantages
The advantage is that access is possible without having to change the settings in
the terminals (reaction-free).
Disadvantages
The disadvantage is that, due to the identical source IP addresses, it is no longer
clear which remote node sent the packets.
NAT and firewall rules
In the NAT table of the SCALANCE S615, all packets from the VPN tunnel are
translated to a separate VLAN1 IP address.
Figure 2-16
The firewall must allow communication between the VPN tunnel and the internal
network, VLAN1. The services are unrestricted.
Figure 2-17
Remarks
Address translation using source NAT is performed behind the firewall;
consequently, the remote VPN addresses must be used as the source range.
By specifying 0.0.0.0/0, all IP addresses are allowed. This is necessary, for
example, if the remote subnet of the tunnel is not known in advance when
using SSC.
The shown firewall rule is optional as, by default, all packets from the VPN
tunnel are always enabled for VLAN1.
When using a different or additional VLAN, this rule is always required.
As the source interface of the firewall and NAT, you can either enable all
tunnels ("IPSec all”) or select specific tunnels (via Interface = "Endpoint”).
This configuration corresponds to the method of functioning of SINEMA RC
when "Device is network gateway” is not checked. This method, too, performs
source NAT from the tunnel.
To Next Page
Loading...
Need help?
General
