NAT_S615
Entry ID: 109744660, V1.1, 08/2017
Siemens AG All rights reserved
The source IP address (in this document: 192.168.1.10) is not changed; from the
CPU’s perspective, the packet is from another subnet. That is why the CPU
requires an additional entry for the gateway (IP address of the SCALANCE S615
for VLAN1).
In all reply packets that are sent from the CPU to the PC, the source IP address
192.168.2.20 is automatically replaced with 192.168.1.1.
Advantages
The advantage of this scenario is that no additional gateway entry is required in the
PC. The IP address of the SCALANCE S615 of the local network that has already
been used is used as the destination address.
Disadvantages
The disadvantage is that only active connection establishment from the PC to the
CPU is possible. Each port can only be forwarded once. Only a single node on
VLAN1 can be accessed using protocols with a fixed destination port (e.g., S7
protocol).
Forwarded ports can no longer be used by the SCALANCE S615 (e.g., http, IPSec,
SNMP, etc.).
NAPT and firewall rules
The NAPT table of the SCALANCE S615 translates packets from VLAN2 with the
destination IP address 192.168.1.1:8080 to the CPU’s IP address 192.168.2.20:80.
Port 80 is used as this access is web server access.
Figure 2-4
The firewall must allow communication between the PC (VLAN2) and the CPU
(VLAN1).
Figure 2-5
Remarks
Address translation using NAPT has already been performed before the
firewall; consequently, address translation must use the translated addresses
and ports.
From the PC’s perspective, the CPU’s web server can therefore be accessed
via http://192.168.1.1:8080.
More CPUs can be made accessible in the same way by using a different
destination port and destination IP address, e.g. 192.168.1.1:8081 ->
192.168.2.30:80.
To fully enable VLAN2 for access to the CPU, change the firewall rule for the
source as follows: 192.168.1.0/24.
Port forwarding is the more common term for NAPT.
To Next Page
Loading...
Need help?
General
