Siemens SCALANCE S615 Manual page 18

2 UseCases at a Glance
The firewall rules for both SCALANCE S615 modules are identical as both use the
same subnet on VLAN1.
The firewall must allow communication between the PC (VLAN2) and the CPU
(VLAN1). As all functions may be executed, there is no port restriction.
Figure 2-11
Remarks

Address translation using NAT has already been performed before the firewall;
consequently, the firewall must use the translated addresses.

From the PC's (or STEP 7's) perspective, the two CPUs can therefore be
accessed via 192.168.1.2 or 192.168.1.3. This ensures that the CPUs belong
despite identical subnets on VLAN1.

To fully enable VLAN2 for access to the CPU, change the firewall rule and the
NAT rule for the source as follows: 192.168.1.0/24.

NETMAP always translates x addresses to x other addresses, which is also
called 1:1 NAT.

The "Trans.Destination IP Subnet" columns in the SCALANCE S615 may only
be configured with a single IP address – /32. Only then does the SCALANCE
S615 reply to ARP requests for the additional IP addresses.
NAT_S615
Entry ID: 109744660, V1.1, 08/2017
18