Siemens SCALANCE S615 Manual page 11

2 UseCases at a Glance
Process flow (active connection establishment from PC to CPU):
The additional NAT IP addresses 192.168.1.2 and 192.168.1.3 are used by the
SCALANCE S615.
The PC accesses the local IP address 192.168.1.2 or 192.168.1.3 as the
destination.
Using the definition in its NAT table, the SCALANCE S615 replaces the destination
IP address and sends the packet to CPU1 or CPU2.
The source IP address (in this document: 192.168.1.10) is not changed; from the
CPU's perspective, the packet is from a non-local subnet.
That is why the CPU requires an additional entry for the gateway (IP address of the
SCALANCE S615 for VLAN1).
In all reply packets from the CPU to the PC, the source IP address 192.168.2.20
(or 192.168.2.30) is automatically replaced with 192.168.1.2 (or 192.168.1.3).
Advantages
The advantage of the NAT table is that, due to the use of additional addresses per
CPU, all ports can be forwarded or used.
Disadvantages
The disadvantage is that only active connection establishment from the PC to the
CPU is possible. Furthermore, each CPU requires additional IP addresses from the
subnet of VLAN2 and each single one must be configured accordingly.
NAT and firewall rules
The NAT table of the SCALANCE S615 translates packets from VLAN2 with the
destination IP address 192.168.1.2 (or 192.168.1.3) to the CPU's IP address
192.168.2.20 (or 192.168.2.30).
Figure 2-7
The firewall must allow communication between the PC (VLAN2) and the two
CPUs (VLAN1). As only PG functions via an S7 connection are allowed, the
service is limited to port 102.
Figure 2-8
NAT_S615
Entry ID: 109744660, V1.1, 08/2017
11