Cp As Passive Subscriber Of Vpn Connections; Firewall; Firewall Sequence When Checking Incoming And Outgoing Frames; Notation For The Source Ip Address (Advanced Firewall Mode) - Siemens S7-1200 Operating Instructions Manual

Hubs & controllers telecontrol/lte

Hide thumbs Also See for S7-1200:

System manual (1028 pages)

Operating instructions manual (132 pages)

Programming manualline (74 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

page of 132

/ 132
Contents
Table of Contents
Bookmarks

Table of Contents

4.13.1.6

CP as passive subscriber of VPN connections

Setting permission for VPN connection establishment with passive subscribers

If the CP is connected to another VPN subscriber via a gateway, you need to set the

permission for VPN connection establishment to "Responder".

This is the case in the following typical configuration:

VPN subscriber (active) ⇔ gateway (dyn. IP address) ⇔ Internet ⇔ gateway (fixed IP

address) ⇔ CP (passive)

Configure the permission for VPN connection establishment for the CP as a passive

subscriber as follows:

1. In STEP 7, go to the devices and network view.

2. Select the CP.

3. Open the "VPN" tab.

4. For each VPN connection with the CP as a passive VPN subscriber, change the default

setting "Initiator/Responder" to the setting "Responder".

4.13.2

Firewall

4.13.2.1

Firewall sequence when checking incoming and outgoing frames

Each incoming or outgoing frame initially runs through the MAC firewall (layer 2). If the frame

is discarded at this level, it will not be checked by the IP firewall (layer 3). This means that

with suitable MAC firewall rules, IP communication can be restricted or blocked.

4.13.2.2

Notation for the source IP address (advanced firewall mode)

If you specify an address range for the source IP address in the advanced firewall settings of

the CP, make sure that the notation is correct:

● Separate the two IP addresses only using a hyphen.

Correct: 192.168.10.0-192.168.10.255

● Do not enter any other characters between the two IP addresses.

Incorrect: 192.168.10.0 - 192.168.10.255

If you enter the range incorrectly, the firewall rule will not be used.

4.13.2.3

Firewall settings for S7 connections via a VPN tunnel

IP rules in advanced firewall mode

If you set up S7 connections with a VPN tunnel between the CP and a communications

partner, you will need to adapt the local firewall settings of the CP:

Select the "Allow*" action for S7 connections in advanced firewall mode ("Security > Firewall

> IP rules") for both communications directions of the VPN tunnel.

CP 1243-7 LTE

Operating Instructions, 01/2015, C79000-G8976-C381-01

Configuration and operation

4.13 Security functions

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

This manual is also suitable for:

Cp 1243-7

Cp As Passive Subscriber Of Vpn Connections; Firewall; Firewall Sequence When Checking Incoming And Outgoing Frames; Notation For The Source Ip Address (Advanced Firewall Mode) - Siemens S7-1200 Operating Instructions Manual

CP as passive subscriber of VPN connections

Firewall

Firewall sequence when checking incoming and outgoing frames

Notation for the source IP address (advanced firewall mode)

Firewall settings for S7 connections via a VPN tunnel

Hide quick links:

Related Manuals for Siemens S7-1200

Related Content for Siemens S7-1200

This manual is also suitable for:

Table of Contents