Siemens SCALANCE S615 Manual page 23
Nat variants
Hide thumbs
Also See for SCALANCE S615:
- Configuration manual (442 pages) ,
- Getting started (44 pages) ,
- Operating instructions manual (80 pages)
Table of Contents
Advertisement
2 UseCases at a Glance
Using the definition in its NAT table, the SCALANCE S615 replaces the source IP
address with its own IP address (192.168.1.1) and forwards the packet to the
destination IP address.
From the PC's perspective, all packets of the CPUs are from the local subnet,
VLAN2. This means the packets can be replied to directly. The subnet of VLAN1 is
not visible to the outside world.
In all reply packets from the PC to the CPU, the destination IP address is
automatically replaced with the appropriate CPU IP address.
The assignment is made based on the existing state in the firewall. There is no
manual assignment as with destination NAT.
Advantages
This NAT table has the advantage that no additional IP address is required. The IP
address of the SCALANCE S615 for VLAN2 that is already in use is used as the
source IP address.
Disadvantages
The disadvantage is that only active connection establishment from the CPU to the
PC is possible. Due to the identical source IP addresses, it is no longer clear which
CPU sends the packets.
NAT and firewall rules
The NAT table of the SCALANCE S615 translates packets from VLAN1 with the
source IP address 192.168.2.x to its own VLAN2 IP address 192.168.1.1.
Figure 2-13
The firewall must allow communication between the CPU (VLAN1) and the PC
(VLAN2). The services are limited to TCP.
Figure 2-14
Remarks
Address translation using source NAT is performed behind the firewall;
consequently, the physical addresses must be used here.
To enable any source or destination IP addresses, change the firewall rule as
follows: 0.0.0.0/0.
The Source NAT tab translates several IP addresses to a single IP address,
i.e. N:1 NAT.
The NETMAP: Source NAT tab translates several IP addresses to several IP
addresses, i.e. 1:1 NAT.
In the reverse direction, the configuration works accordingly if both CPUs have
no gateway entry.
For source NAT, the translation shown here is normally sufficient as the source
IP address of a connection is not checked in most cases. Otherwise, use
appropriate "NETMAP > Source NAT" (see Chapter 2.4) to translate to single
addresses.
NAT_S615
Entry ID: 109744660,
V1.1,
08/2017
23
Hide quick links:
Advertisement
Table of Contents
