Siemens SCALANCE S615 Manual page 21

2 UseCases at a Glance
The NAT table of the SCALANCE S615 for the second plant part translates
packets from VLAN1 with the source IP address 192.168.2.10 to the own,
additional VLAN2 IP address 192.168.1.3.
Figure 2-
The firewall of both SCALANCE S615 must allow communication between CPU1
(VLAN1) and CPU2 (VLAN1) via VLAN2, according to the NAT table. The CPU-
CPU communication is based on an S7 communication. The services are therefore
limited to port 102.
The firewall of the SCALANCE S615 from the first plant part must allow
communication between VLAN2 (additional IP address in the right SCALANCE
S615) and CPU1 (VLAN1).
Figure 2-2
The firewall of the SCALANCE S615 from the second plant part must allow
communication between CPU2 (VLAN1) and VLAN2 (additional IP address in the
left SCALANCE S615).
Figure 2-3
Remarks

In the SCALANCE S615 from the first plant part, address translation using NAT
(destination NAT) has already been performed before the firewall;
consequently, the firewall must use the translated addresses.

In the SCALANCE S615 from the second plant part, address translation using
NAT (source NAT) will be performed after the firewall; consequently, the
firewall must use the physical addresses.

The columns "Trans.Destination IP Subnet" or "Trans.Source IP Subnet"
columns in the SCALANCE S615 may only be configured with a single IP
address – /32. Only then does the SCALANCE S615 reply to ARP requests for
the additional IP addresses.

To translate all internal participants from the second plant part to the IP
address of the SCALANCE S615 IP in VLAN 2, Source NAT or masquerading
may be used as an alternative to NETMAP  Source NAT.
NAT_S615
Entry ID: 109744660, V1.1, 08/2017
21