Siemens SCALANCE S615 Manual
  1. Manuals
  2. Brands
  3. Siemens Manuals
  4. Control Unit
  5. SCALANCE S615
  6. Manual

Siemens SCALANCE S615 Manual

Nat variants
Hide thumbs Also See for SCALANCE S615:
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual
NAT Variants with
the SCALANCE S615
SCALANCE S615
https://support.industry.siemens.com/cs/ww/en/view/109744660
Siemens
Industry
Online
Support

Advertisement

Table of Contents
loading

Related Manuals for Siemens SCALANCE S615

Summary of Contents for Siemens SCALANCE S615

  • Page 1 NAT Variants with the SCALANCE S615 Siemens SCALANCE S615 Industry Online https://support.industry.siemens.com/cs/ww/en/view/109744660 Support...

  • Page 2: Warranty And Liability

    Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.

  • Page 3: Table Of Contents

    Table of Contents Table of Contents Warranty and Liability ....................2 Introduction ......................4 UseCases at a Glance ..................6 Static routing ..................6 Web server access via NAPT............... 8 PG functions with NETMAP and destination NAT ......10 NATing entire subnets via NETMAP and Destination NAT ....13 Series machines with NETMAP and destination NAT .......

  • Page 4: Introduction

    1 Introduction Introduction Starting situation The SCALANCE S615 is a module from the security module product line and protects industrial networks and automation systems against unauthorized access. Thanks to its diverse features, the security module enables protection of different network topologies and flexible implementation of security concepts: ...
  • Page 5 Reaction-free S7 communication in existing plants Source and destination NAT Note The functions described in this document require firmware V04.01.01 in the SCALANCE S615. Make sure that firmware V04.01.01 or higher is installed on the module (see Chapter 4.2). NAT_S615 Entry ID: 109744660, V1.1,...

  • Page 6: Usecases At A Glance

    IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: 192.168.2.1 and VLAN2: 192.168.1.1). Depending on the VLAN it belongs to, this IP address of the SCALANCE S615 must be entered in the terminal (in this document: PC or CPU) as the gateway.
  • Page 7 The IP address 192.168.1.10 cannot be reached locally. The packet is sent to the gateway. The SCALANCE S615 has an interface on subnet 192.168.2.0 and forwards the packet directly to the PC. From the PC’s perspective, the IP address 192.168.2.20 is not local. The reply packets are also sent to the gateway.

  • Page 8: Web Server Access Via Napt

    IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: 192.168.2.1 and VLAN2: 192.168.1.1). In addition, a NAPT table is defined in the SCALANCE S615 to translate the PC’s message frames to a different IP address.
  • Page 9 Advantages The advantage of this scenario is that no additional gateway entry is required in the PC. The IP address of the SCALANCE S615 of the local network that has already been used is used as the destination address. Disadvantages The disadvantage is that only active connection establishment from the PC to the CPU is possible.

  • Page 10: Pg Functions With Netmap And Destination Nat

    VLAN2 that are not in use. For the reply packets of the two CPUs to find their way to VLAN2, the IP address of the SCALANCE S615 (VLAN1) must be entered in the two CPUs as the gateway. NAT_S615 Entry ID: 109744660, V1.1,...
  • Page 11 The PC accesses the local IP address 192.168.1.2 or 192.168.1.3 as the destination. Using the definition in its NAT table, the SCALANCE S615 replaces the destination IP address and sends the packet to CPU1 or CPU2. The source IP address (in this document: 192.168.1.10) is not changed; from the CPU’s perspective, the packet is from a non-local subnet.
  • Page 12 NETMAP always translates x addresses to x other addresses, which is also called 1:1 NAT.  The "Trans.Destination IP Subnet” columns in the SCALANCE S615 may only be configured with a single IP address – /32. Only then does the SCALANCE S615 reply to ARP requests for the additional IP addresses.

  • Page 13: Nating Entire Subnets Via Netmap And Destination Nat

    SCALANCE S. It is freely selectable and completely independent from the subnet at VLAN 1. Depending on the VLAN it belongs to, this IP address of the SCALANCE S615 must be entered in the terminal (in this document: PC or automation device) as the gateway.
  • Page 14 Via routing, the PC accesses the IP address 172.16.1.20 as the destination, for example. Using the definition in its NAT table, the SCALANCE S615 replaces the destination IP address to 192.168.2.20 and sends the packet to CPU1. The source IP address (in this document: 192.168.1.10) is not changed; from the CPU’s perspective, the packet is from a non-local subnet.
  • Page 15 2 UseCases at a Glance Remarks  Address translation using NAT has already been performed before the firewall; consequently, the firewall must use the translated addresses.  To fully enable VLAN2 for access to the automation devices, change the firewall rule and the NAT rule for the source as follows: 192.168.1.0/24. ...

  • Page 16: Series Machines With Netmap And Destination Nat

    VLAN1 could not be uniquely assigned, regardless of the direction of connection establishment and gateways in the PC. One SCALANCE S615 module is required for each identical internal subnet. It is not possible to connect multiple identical subnets to a single SCALANCE S615.
  • Page 17 2 UseCases at a Glance For the reply packets of the two CPUs to find their way back to VLAN2, the IP address of the SCALANCE S615 (VLAN1) must be entered in the two CPUs as the gateway. Process flow (active connection establishment from PC to CPU): The additional NAT IP addresses 192.168.1.2 and 192.168.1.3 are used by the two...
  • Page 18 2 UseCases at a Glance The firewall rules for both SCALANCE S615 modules are identical as both use the same subnet on VLAN1. The firewall must allow communication between the PC (VLAN2) and the CPU (VLAN1). As all functions may be executed, there is no port restriction.

  • Page 19: Cross Communication For Series Machines With Netmap And Destination Nat

    VLAN1 could not be uniquely assigned, regardless of the direction of connection establishment and gateways in the PC. One SCALANCE S615 module is required for each identical internal subnet. It is not possible to connect multiple identical subnets to a single SCALANCE S615.
  • Page 20 2 UseCases at a Glance In the left SCALANCE S615 (first plant part), the destination NAT is used, in the right SCALANCE S615 (second plant part), the source NAT. For the reply packets of the two CPUs to find their way back to VLAN2, the IP address of the SCALANCE S615 (VLAN1) must be entered in the two CPUs as the gateway.
  • Page 21 The columns “Trans.Destination IP Subnet” or “Trans.Source IP Subnet” columns in the SCALANCE S615 may only be configured with a single IP address – /32. Only then does the SCALANCE S615 reply to ARP requests for the additional IP addresses.

  • Page 22: Connection To Control System With Source Nat

    IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: 192.168.2.1 and VLAN2: 192.168.1.1). In addition, a NAT table is defined in the SCALANCE S615 to translate the CPU’s message frames to a different IP address.
  • Page 23 NAT. Advantages This NAT table has the advantage that no additional IP address is required. The IP address of the SCALANCE S615 for VLAN2 that is already in use is used as the source IP address. Disadvantages The disadvantage is that only active connection establishment from the CPU to the PC is possible.
  • Page 24 2 UseCases at a Glance  As several IP addresses can be translated to a single IP address, the source port of a connection request may change during source NAT. This is inevitable if two nodes use the same source port. NAT_S615 Entry ID: 109744660, V1.1,...

  • Page 25: Source Nat From Vpn Tunnel

    VLAN1: 192.168.2.0/24 Requirements An existing IPSec tunnel with the SCALANCE S615 as the tunnel endpoint is the basis of this configuration. For example, the SOFTNET Security Client or another SCALANCE S connected upstream to the PC can be the VPN partner.
  • Page 26 The disadvantage is that, due to the identical source IP addresses, it is no longer clear which remote node sent the packets. NAT and firewall rules In the NAT table of the SCALANCE S615, all packets from the VPN tunnel are translated to a separate VLAN1 IP address. Figure 2-16 The firewall must allow communication between the VPN tunnel and the internal network, VLAN1.

  • Page 27: S7 Connection With Double Nat

    IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: 192.168.2.1 and VLAN2: 192.168.1.1). In addition, a source and destination NAT table is defined in the SCALANCE S615 to translate the CPU’s message frames to a different IP address. This requires another IP address from the subnet of VLAN2.
  • Page 28 The additional NAT IP address 192.168.1.2 is used by the SCALANCE S615. CPU2 accesses the local IP address 192.168.1.2 as the destination. Using the definition in its NAT table, the SCALANCE S615 replaces the source and destination IP address and sends the packet to CPU1.
  • Page 29  The "Trans.Destination IP Subnet” columns in the SCALANCE S615 may only be configured with a single IP address – /32. Only then does the SCALANCE S615 reply to ARP requests for the additional IP addresses.

  • Page 30: Valuable Information

    3 Valuable Information Valuable Information General principles 3.1.1 Classless Inter-Domain Routing (CIDR) Description The firewall and NAT configuration in the S615 largely use CIDR suffix notation. CIDR is a method that combines multiple IPv4 addresses into a single address range by representing an IPv4 address combined with its subnet mask. To this end, the "/x”...

  • Page 31: Nat Mechanisms

    3 Valuable Information 3.1.3 NAT mechanisms NAT (Network Address Translation) is a method of translating IP addresses in data packets. It can be used to interconnect two different networks (internal and external). There are two different NATs: source NAT that translates the source IP address and destination NAT that translates the destination IP address.

  • Page 32: Firewall And Nat

    The IP address that has already been changed can no longer be filtered in the firewall. Note For the SCALANCE S615, the number of firewall and NAT rules is limited to 64. The rules do not add up; consequently, 64 NAT and 64 firewalls rules are possible at the same time.

  • Page 33: S7 Connections And Nat

    3 Valuable Information S7 connections and NAT For S7 connections specified on both sides, both sides check the partner’s IP address when the connection is established. As neither the source nor the destination IP address can be changed when using NAT, a connection using this method cannot work.
  • Page 34 3 Valuable Information 5. Then use the appropriate button to search for devices. 6. Do not accept a suggestion to add another IP address and click "next”. NAT_S615 Entry ID: 109744660, V1.1, 08/2017...

  • Page 35: Appendix

    Technical Support Siemens Industry’s Technical Support offers you fast and competent support for any technical queries you may have, including numerous tailor-made offerings ranging from basic support to custom support contracts.

  • Page 36: Links And Literature

    Links and literature Table 4-1 Topic Siemens Industry Online Support https://support.industry.siemens.com https://support.industry.siemens.com/cs/ww/en/view/109744660 Download of Firmware SCALANCE M-800 / S615 V04.01.01 https://support.industry.siemens.com/cs/en/en/view/109482557 SIMATIC NET Industrial Ethernet Security SCALANCE S615 Web Based Management – Configuration Manual https://support.industry.siemens.com/cs/ww/en/view/109741743 Change documentation Table 4-2 Version Date Modifications V1.0...

Table of Contents