Table of Contents
Advertisement
Configuration and operation
4.8 Security functions
3. With the right mouse button, select "Activate connection to the internal subscribers" in the
shortcut menu.
The lower level node appears temporarily in the tunnel overview.
4. Select the lower-level node in the tunnel overview.
5. Select "Delete Entry" in the shortcut menu.
Result: The lower-level node is now fully disabled. VPN tunnel communication to the CP can
be established.
4.8.1.5
CP as passive subscriber of VPN connections
Setting permission for VPN connection establishment with passive subscribers
If the CP is connected to another VPN subscriber via a gateway, you need to set the
permission for VPN connection establishment to "Responder".
This is the case in the following typical configuration:
VPN subscriber (active) ⇔ gateway (dyn. IP address) ⇔ Internet ⇔ gateway (fixed IP
address) ⇔ CP (passive)
Configure the permission for VPN connection establishment for the CP as a passive
subscriber as follows:
1. In STEP 7, go to the devices and network view.
2. Select the CP.
3. Open the parameter group "VPN" in the local security settings.
4. For each VPN connection with the CP as a passive VPN subscriber, change the default
setting "Initiator/Responder" to the setting "Responder".
4.8.2
Firewall
4.8.2.1
Pre-check of messages by the MAC firewall.
Each incoming or outgoing frame initially runs through the MAC firewall (layer 2). If the frame
is discarded at this level, it will not be checked by the IP firewall (layer 3). This means that
with suitable MAC firewall rules, IP communication can be restricted or blocked.
4.8.2.2
Firewall settings for S7 connections via a VPN tunnel
IP rules in advanced firewall mode
If you set up S7 connections with a VPN tunnel between the CP and a communications
partner, you will need to adapt the local firewall settings of the CP:
94
Operating Instructions, 06/2015, C79000-G8976-C385-01
CP 1243-8 IRC
Advertisement
Table of Contents
