Transcription

1 NAT Variants with the SCALANCE S615 SCALANCE S615 Siemens Industry Online Support

2 Siemens AG Valuable Information All rights reserved Warranty and Liability Warranty and Liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These Application Examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of the Siemens AG. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under Entry ID: , V1.1, 08/2017 2

3 Siemens AG All rights reserved Table of Contents Table of Contents Warranty and Liability Introduction Static routing Web server access via NAPT PG functions with NETMAP and destination NAT NATing entire subnets via NETMAP and Destination NAT Series machines with NETMAP and destination NAT Cross communication for series machines with NETMAP and destination NAT Connection to control system with source NAT Source NAT from VPN tunnel S7 connection with double NAT Valuable Information General principles Classless Inter-Domain Routing (CIDR) Connection directions in the network NAT mechanisms Firewall and NAT S7 connections and NAT TIA Online functions and NAT Appendix Service and Support Links and literature Change documentation Entry ID: , V1.1, 08/2017 3

4 Siemens AG All rights reserved 1 Introduction 1 Introduction Starting situation The SCALANCE S615 is a module from the security module product line and protects industrial networks and automation systems against unauthorized access. Thanks to its diverse features, the security module enables protection of different network topologies and flexible implementation of security concepts: The option of VLAN structuring of its five Ethernet ports provides protection against DoS attacks and unauthorized access. Access to the device and the adjacent network can be protected by a firewall and VPN. Due to the configuration as a NAT router, the IP addresses of the industrial networks or automation systems can be hidden from the outside world. In addition, the IP address range can be used by multiple closed private networks without causing address collisions. Motivation for this documentation Use of the SCALANCE S615 as a router and simultaneous support of common NAT mechanisms provide numerous options for accessing the internal network or automation system to be protected: Static routing NAPT NAT NETMAP IP masquerading Static routing is always preferable over all other NAT variants. Depending on the use case, NAT requires significant extra effort in terms of configuration and handling. However, some configurations cannot be solved using routing, for example, if no gateway is desired. In these cases, a suitable NAT method must be used. Entry ID: , V1.1, 08/2017 4

5 Siemens AG All rights reserved 1 Introduction Contents of this document This document uses selected UseCases to describe the different options. Each UseCase describes the starting situation, discusses the requirement and addresses the advantages / disadvantages. The aim is to give an overview of the available options and provide an adequate solution for common use cases. The following configurations are looked at in detail: Table 1-1 UseCase Mechanism 1. Two-way communication with gateway Standard routing 2. Web server access without gateway (active PC, passive CPU) NAPT 3. PG functions on multiple CPUs without gateway Destination NAT 4. NATing entire subnets Destination NAT 5. PG functions on multiple CPUs without gateway in series machine manufacturing Destination NAT 6. Cross communication for series machines Destination NAT 7. Connection to control systems without gateway (CPU as the active part) 8. Reaction-free communication using VPN tunnel in existing plants Source NAT Source NAT 9. Reaction-free S7 communication in existing plants Source and destination NAT Note The functions described in this document require firmware V in the SCALANCE S615. Make sure that firmware V or higher is installed on the module (see Chapter 4.2). Entry ID: , V1.1, 08/2017 5

6 Siemens AG All rights reserved Note For the basics of the mechanisms used in this document and additional information on handling NAT, please refer to Chapter Static routing Starting situation The following configuration allows bidirectional communication between the PC and the CPU. Any connection establishment direction can be selected. Figure 2-1 VLAN2: /24 PC: Gateway: CPU: Gateway: VLAN1: /24 Requirements For network separation, the SCALANCE S615 has two VLANs with different network IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: and VLAN2: ). Depending on the VLAN it belongs to, this IP address of the SCALANCE S615 must be entered in the terminal (in this document: PC or CPU) as the gateway. All subnets and IP addresses are only used once in the entire network. Entry ID: , V1.1, 08/2017 6

7 Siemens AG All rights reserved If there are additional routers on VLAN2 that must also communicate with VLAN1, advertise or configure the subnet of VLAN1 there as well. As a general rule, all subnets must have been advertised to the routers. Process flow (active connection establishment from CPU to PC) Advantages The IP address cannot be reached locally. The packet is sent to the gateway. The SCALANCE S615 has an interface on subnet and forwards the packet directly to the PC. From the PC s perspective, the IP address is not local. The reply packets are also sent to the gateway. Advantages of this scenario: Firewall rules All nodes can establish connections in any direction. Each node can be reached through a unique address. Bidirectional communication between the two VLANs is enabled in the SCALANCE S615 firewall. Figure 2-2 Entry ID: , V1.1, 08/2017 7

8 Siemens AG All rights reserved NAPT Table 2.2 Web server access via NAPT Starting situation The PC is to be able to access the CPU s web server without a gateway. The destination port is not defined and can be changed when establishing the connection. Figure 2-3 VLAN2: /24 PC: Gateway: None DST Port: DST Port: CPU: Gateway: VLAN1: /24 Requirements For network separation, the SCALANCE S615 has two VLANs with different network IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: and VLAN2: ). In addition, a NAPT table is defined in the SCALANCE S615 to translate the PC s message frames to a different IP address. For the CPU s reply packets to find their way to VLAN2, the IP address of the SCALANCE S615 (VLAN1) must be entered in the CPU as the gateway. Process flow (active connection establishment from PC to CPU) Instead of the IP address of the CPU, , the PC accesses the local IP address of the SCALANCE S615 ( ), including a port, as the destination. Using the definition in its NAPT table, the SCALANCE S615 replaces the destination IP address and optionally a port and sends the packet to the CPU. Entry ID: , V1.1, 08/2017 8

9 Siemens AG All rights reserved Advantages Disadvantages The source IP address (in this document: ) is not changed; from the CPU s perspective, the packet is from another subnet. That is why the CPU requires an additional entry for the gateway (IP address of the SCALANCE S615 for VLAN1). In all reply packets that are sent from the CPU to the PC, the source IP address is automatically replaced with The advantage of this scenario is that no additional gateway entry is required in the PC. The IP address of the SCALANCE S615 of the local network that has already been used is used as the destination address. The disadvantage is that only active connection establishment from the PC to the CPU is possible. Each port can only be forwarded once. Only a single node on VLAN1 can be accessed using protocols with a fixed destination port (e.g., S7 protocol). Forwarded ports can no longer be used by the SCALANCE S615 (e.g., http, IPSec, SNMP, etc.). NAPT and firewall rules The NAPT table of the SCALANCE S615 translates packets from VLAN2 with the destination IP address :8080 to the CPU s IP address :80. Port 80 is used as this access is web server access. Figure 2-4 The firewall must allow communication between the PC (VLAN2) and the CPU (VLAN1). Figure 2-5 Remarks Address translation using NAPT has already been performed before the firewall; consequently, address translation must use the translated addresses and ports. From the PC s perspective, the CPU s web server can therefore be accessed via More CPUs can be made accessible in the same way by using a different destination port and destination IP address, e.g :8081 -> :80. To fully enable VLAN2 for access to the CPU, change the firewall rule for the source as follows: /24. Port forwarding is the more common term for NAPT. Entry ID: , V1.1, 08/2017 9

10 Siemens AG All rights reserved NAT Table 2.3 PG functions with NETMAP and destination NAT Starting situation Without a gateway, the PC is to use STEP 7 PG functions on multiple CPUs. STEP 7 PG functions run on an S7 connection with a destination port, TCP 102, that cannot be changed. Figure 2-6 VLAN2: /24 PC: Gateway: None Additional IP: CPU: Gateway: CPU: Gateway: VLAN1: /24 Requirements For network separation, the SCALANCE S615 has two VLANs with different network IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: and VLAN2: ). To translate the PC s message frames to a different IP address, a NAT table is additionally defined in the SCALANCE S615. This requires two other IP addresses from the subnet of VLAN2 that are not in use. For the reply packets of the two CPUs to find their way to VLAN2, the IP address of the SCALANCE S615 (VLAN1) must be entered in the two CPUs as the gateway. Entry ID: , V1.1, 08/

11 Siemens AG All rights reserved Process flow (active connection establishment from PC to CPU): Advantages The additional NAT IP addresses and are used by the SCALANCE S615. The PC accesses the local IP address or as the destination. Using the definition in its NAT table, the SCALANCE S615 replaces the destination IP address and sends the packet to CPU1 or CPU2. The source IP address (in this document: ) is not changed; from the CPU s perspective, the packet is from a non-local subnet. That is why the CPU requires an additional entry for the gateway (IP address of the SCALANCE S615 for VLAN1). In all reply packets from the CPU to the PC, the source IP address (or ) is automatically replaced with (or ). The advantage of the NAT table is that, due to the use of additional addresses per CPU, all ports can be forwarded or used. Disadvantages The disadvantage is that only active connection establishment from the PC to the CPU is possible. Furthermore, each CPU requires additional IP addresses from the subnet of VLAN2 and each single one must be configured accordingly. NAT and firewall rules The NAT table of the SCALANCE S615 translates packets from VLAN2 with the destination IP address (or ) to the CPU s IP address (or ). Figure 2-7 The firewall must allow communication between the PC (VLAN2) and the two CPUs (VLAN1). As only PG functions via an S7 connection are allowed, the service is limited to port 102. Figure 2-8 Entry ID: , V1.1, 08/

12 Siemens AG All rights reserved Remarks Address translation using NAT has already been performed before the firewall; consequently, the firewall must use the translated addresses. From the PC s (or STEP 7 s) perspective, the two CPUs can be accessed using the IP address or To fully enable VLAN2 for access to the CPU, change the firewall rule and the NAT rule for the source as follows: /24. For a single CPU, NAPT could also be used (see Chapter 2.2). NETMAP always translates x addresses to x other addresses, which is also called 1:1 NAT. The "Trans.Destination IP Subnet columns in the SCALANCE S615 may only be configured with a single IP address /32. Only then does the SCALANCE S615 reply to ARP requests for the additional IP addresses. Entry ID: , V1.1, 08/

13 Siemens AG All rights reserved NAT table 2.4 NATing entire subnets via NETMAP and Destination NAT Starting situation The PC shall communicate with several or all devices in an automation network. The destination port is not defined and can be changed when establishing the connection. Figure 2- VLAN2: /24 PC: Gateway: x x Additional subnet /24 module-internal, from VLAN2 only accessible via routing. CPU1: Gateway: CPU2: SCALANCE: Gateway: Gateway: VLAN1: /24 Prerequisites For network separation, the SCALANCE S615 has two VLANs with different network IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: and VLAN2: ). To translate the PC s message frames to a different IP address, a NAT table is additionally defined in the SCALANCE S615. This requires an additional free subnet (in this document: /24). The additional virtual subnet only exists within the SCALANCE S. It is freely selectable and completely independent from the subnet at VLAN 1. Depending on the VLAN it belongs to, this IP address of the SCALANCE S615 must be entered in the terminal (in this document: PC or automation device) as the gateway. Entry ID: , V1.1, 08/

14 Siemens AG All rights reserved Process flow (active connection establishment from PC to CPU): The additional subnet /24 is used by the SCALANCE S615. The SCALANCE S615 uses NETMAP for the address translation. With NETMAP, complete subnets can be translated to a different subnet. The addresses are translated one to one. For the example, this results in the following translations: Table 2-2 Destination IP address Virtual NAT IP address Via routing, the PC accesses the IP address as the destination, for example. Using the definition in its NAT table, the SCALANCE S615 replaces the destination IP address to and sends the packet to CPU1. The source IP address (in this document: ) is not changed; from the CPU s perspective, the packet is from a non-local subnet. That is why the CPU requires an additional entry for the gateway (IP address of the SCALANCE S615 for VLAN1). In all reply packets from the CPU to the PC, the source IP address x is automatically replaced with x. Advantages Disadvantages NAT and firewall rules The advantage of the NAT table is that, due to the use of additional addresses per CPU, all ports can be forwarded or used. The one-to-one address translation simplifies the NAT configuration, since there is only one line necessary in the NAT table. The disadvantage is that only active connection establishment from the PC to the CPU is possible. The route to the virtual subnet needs to be known. The virtual NAT IP addresses cannot be accessed directly. The NAT table of the SCALANCE S615 translates packets from /24 with the destination IP address to VLAN 1. The translation is done one-to-one. Figure 2-2: The firewall must allow communication between the PC (VLAN2) and the automation devices (VLAN1). Figure 2- : Entry ID: , V1.1, 08/

15 Siemens AG All rights reserved Remarks Address translation using NAT has already been performed before the firewall; consequently, the firewall must use the translated addresses. To fully enable VLAN2 for access to the automation devices, change the firewall rule and the NAT rule for the source as follows: /24. No ARP requests to x are answered. As a result, these addresses can only be accessed via routing. For a single CPU, NAPT could also be used (see chapter 2.2). NETMAP always translates x addresses to x other addresses, which is also called 1:1 NAT. All subnets of the objects participating in NETMAP need to be of the same size, e.g. all are /24. Entry ID: , V1.1, 08/

16 Siemens AG All rights reserved NAT Table 2.5 Series machines with NETMAP and destination NAT Starting situation In this case, several identical plant parts are to be accessed by a PC. Consequently, all plant parts use the same subnet (in this document: x). Without a gateway, the PC is to communicate with each CPU from the plant parts and execute any functions. VLAN2: /24 PC: Gateway: None Addtl. IP: Addtl. IP: NAT Table CPU: Gateway: VLAN1: /24 CPU: Gateway: Requirement A SCALANCE S615 is connected upstream to each plant part. For network separation, the SCALANCE S615 has two VLANs with different network IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: and VLAN2: or ). The SCALANCE S615 modules and the PC are connected via VLAN2. This configuration requires NAT and cannot be solved with pure routing as the subnet from VLAN1 could not be uniquely assigned, regardless of the direction of connection establishment and gateways in the PC. One SCALANCE S615 module is required for each identical internal subnet. It is not possible to connect multiple identical subnets to a single SCALANCE S615. Therefore, a NAT table is additionally defined in the SCALANCE S615 to translate the PC s message frames to a different IP address. This requires another IP address from the subnet of VLAN2. Entry ID: , V1.1, 08/

17 Siemens AG All rights reserved For the reply packets of the two CPUs to find their way back to VLAN2, the IP address of the SCALANCE S615 (VLAN1) must be entered in the two CPUs as the gateway. Process flow (active connection establishment from PC to CPU): Advantages The additional NAT IP addresses and are used by the two SCALANCE S615 modules. The PC accesses the local IP address or as the destination. Using the definition in its NAT table, the associated SCALANCE S615 replaces the destination IP address and sends the packet to CPU1 or CPU2. The source IP address (in this document: ) is not changed; from the CPU s perspective, the packet is from a non-local subnet. That is why the CPU requires an additional entry for the gateway (IP address of the associated SCALANCE S615 for VLAN1). In all reply packets from the CPU to the PC, the source IP address is automatically replaced with or The advantage of the NAT table is that, due to the use of an additional address, all ports can be forwarded or used. Disadvantages The disadvantage is that only active connection establishment from the PC to the CPU is possible. Furthermore, each plant part requires an additional IP address from the subnet of VLAN2 and each single one must be configured accordingly. NAT and firewall rules The NAT table of the SCALANCE S615 for the first plant part translates packets from VLAN2 with the destination IP address to the CPU s IP address Figure 2-9 The NAT table of the SCALANCE S615 for the second plant part is configured accordingly. Figure 2-10 Entry ID: , V1.1, 08/

18 Siemens AG All rights reserved The firewall rules for both SCALANCE S615 modules are identical as both use the same subnet on VLAN1. The firewall must allow communication between the PC (VLAN2) and the CPU (VLAN1). As all functions may be executed, there is no port restriction. Figure 2-11 Remarks Address translation using NAT has already been performed before the firewall; consequently, the firewall must use the translated addresses. From the PC s (or STEP 7 s) perspective, the two CPUs can therefore be accessed via or This ensures that the CPUs belong despite identical subnets on VLAN1. To fully enable VLAN2 for access to the CPU, change the firewall rule and the NAT rule for the source as follows: /24. NETMAP always translates x addresses to x other addresses, which is also called 1:1 NAT. The "Trans.Destination IP Subnet columns in the SCALANCE S615 may only be configured with a single IP address /32. Only then does the SCALANCE S615 reply to ARP requests for the additional IP addresses. Entry ID: , V1.1, 08/

19 Siemens AG All rights reserved NAT Table 2.6 Cross communication for series machines with NETMAP and destination NAT Starting situation In this case, several identical plant parts are to communicate among each other (in this document: CPU2 to CPU1). All plant parts use the same subnet (in this document: x). VLAN2: / Addtl.IP: Addtl.IP: NAT Table CPU1: Gateway: VLAN1: /24 CPU2: Gateway: Prerequisite A SCALANCE S615 is connected upstream to each plant part. For network separation, the SCALANCE S615 has two VLANs with different network IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: and VLAN2: or ). The SCALANCE S615 modules are connected via VLAN2. This configuration requires NAT and cannot be solved with pure routing as the subnet from VLAN1 could not be uniquely assigned, regardless of the direction of connection establishment and gateways in the PC. One SCALANCE S615 module is required for each identical internal subnet. It is not possible to connect multiple identical subnets to a single SCALANCE S615. Therefore, a NAT table is additionally defined in the SCALANCE S615 to translate the PC s message frames to a different IP address. This requires another IP address from the subnet of VLAN2. Entry ID: , V1.1, 08/

20 Siemens AG All rights reserved In the left SCALANCE S615 (first plant part), the destination NAT is used, in the right SCALANCE S615 (second plant part), the source NAT. For the reply packets of the two CPUs to find their way back to VLAN2, the IP address of the SCALANCE S615 (VLAN1) must be entered in the two CPUs as the gateway. Process flow (active connection establishment from CPU2 to CPU1): The additional NAT IP addresses and are used by the two SCALANCE S615 modules. CPU2 accesses the local IP address as the destination. Using the definition in its NAT table, the associated SCALANCE S615 from the second plant part replaces the source IP address with and sends the packet to CPU1. Using the definition in its NAT table, the associated SCALANCE S615 from the first plant part replaces the destination IP address with and sends the packet to CPU1. The source IP address has been changed; from the CPU1 s perspective, the packet is from a non-local subnet. Changing the source IP address is necessary for the following reason: CPU1 and CPU2 internally use the same IP address (in this document: ). Wthout changing the source IP address, it would look like for CPU1, as if the packet came from its own IP address. Advantages Although both CPUs use the same IP address and subnet, a direct CPU-CPU communication is possible. Disadvantages NAT and firewall rules The disadvantage is that only active connection establishment from CPU2 to CPU1 is possible. For a bidirectional CPU-CPU communication, the same rules also need to be configured for the opposite direction. Each plant part requires an additional IP address from the subnet of VLAN2 and each single one must be configured accordingly. The NAT table of the SCALANCE S615 for the first plant part translates packets from VLAN2 with the destination IP address to the CPU1 s IP address Figure 2-1 Entry ID: , V1.1, 08/

21 Siemens AG All rights reserved The NAT table of the SCALANCE S615 for the second plant part translates packets from VLAN1 with the source IP address to the own, additional VLAN2 IP address Figure 2- The firewall of both SCALANCE S615 must allow communication between CPU1 (VLAN1) and CPU2 (VLAN1) via VLAN2, according to the NAT table. The CPU- CPU communication is based on an S7 communication. The services are therefore limited to port 102. The firewall of the SCALANCE S615 from the first plant part must allow communication between VLAN2 (additional IP address in the right SCALANCE S615) and CPU1 (VLAN1). Figure 2-2 The firewall of the SCALANCE S615 from the second plant part must allow communication between CPU2 (VLAN1) and VLAN2 (additional IP address in the left SCALANCE S615). Figure 2-3 Remarks In the SCALANCE S615 from the first plant part, address translation using NAT (destination NAT) has already been performed before the firewall; consequently, the firewall must use the translated addresses. In the SCALANCE S615 from the second plant part, address translation using NAT (source NAT) will be performed after the firewall; consequently, the firewall must use the physical addresses. The columns Trans.Destination IP Subnet or Trans.Source IP Subnet columns in the SCALANCE S615 may only be configured with a single IP address /32. Only then does the SCALANCE S615 reply to ARP requests for the additional IP addresses. To translate all internal participants from the second plant part to the IP address of the SCALANCE S615 IP in VLAN 2, Source NAT or masquerading may be used as an alternative to NETMAP Source NAT. Entry ID: , V1.1, 08/

22 Siemens AG All rights reserved NAT Table 2.7 Connection to control system with source NAT Starting situation Multiple CPUs are to actively establish a connection to the PC. The PC itself has no gateway entered. The destination port can be fixed or configurable (S7 connection or TCP/UDP native). Figure 2-12 VLAN2: /24 PC: Gateway: None x x CPU: Gateway: CPU: Gateway: VLAN1: /24 Requirements For network separation, the SCALANCE S615 has two VLANs with different network IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: and VLAN2: ). In addition, a NAT table is defined in the SCALANCE S615 to translate the CPU s message frames to a different IP address. For the message frames of the two CPUs to find their way to VLAN2, the IP address of the SCALANCE S615 (VLAN1) must be entered in the two CPUs as the gateway. Process flow (active connection establishment from CPU to PC): The destination IP address is not in the local subnet of VLAN1. All message frames are sent to the gateway (IP address of the SCALANCE S615 (VLAN1)). Entry ID: , V1.1, 08/

23 Siemens AG All rights reserved Advantages Disadvantages Using the definition in its NAT table, the SCALANCE S615 replaces the source IP address with its own IP address ( ) and forwards the packet to the destination IP address. From the PC s perspective, all packets of the CPUs are from the local subnet, VLAN2. This means the packets can be replied to directly. The subnet of VLAN1 is not visible to the outside world. In all reply packets from the PC to the CPU, the destination IP address is automatically replaced with the appropriate CPU IP address. The assignment is made based on the existing state in the firewall. There is no manual assignment as with destination NAT. This NAT table has the advantage that no additional IP address is required. The IP address of the SCALANCE S615 for VLAN2 that is already in use is used as the source IP address. The disadvantage is that only active connection establishment from the CPU to the PC is possible. Due to the identical source IP addresses, it is no longer clear which CPU sends the packets. NAT and firewall rules The NAT table of the SCALANCE S615 translates packets from VLAN1 with the source IP address x to its own VLAN2 IP address Figure 2-13 The firewall must allow communication between the CPU (VLAN1) and the PC (VLAN2). The services are limited to TCP. Figure 2-14 Remarks Address translation using source NAT is performed behind the firewall; consequently, the physical addresses must be used here. To enable any source or destination IP addresses, change the firewall rule as follows: /0. The Source NAT tab translates several IP addresses to a single IP address, i.e. N:1 NAT. The NETMAP: Source NAT tab translates several IP addresses to several IP addresses, i.e. 1:1 NAT. In the reverse direction, the configuration works accordingly if both CPUs have no gateway entry. For source NAT, the translation shown here is normally sufficient as the source IP address of a connection is not checked in most cases. Otherwise, use appropriate "NETMAP > Source NAT (see Chapter 2.4) to translate to single addresses. Entry ID: , V1.1, 08/

24 Siemens AG All rights reserved As several IP addresses can be translated to a single IP address, the source port of a connection request may change during source NAT. This is inevitable if two nodes use the same source port. Entry ID: , V1.1, 08/

25 Siemens AG All rights reserved NAT Table 2.8 Source NAT from VPN tunnel Starting situation Protected by a VPN tunnel, the PC is to be able to use any functions on the S7 CPUs of an existing plant. No gateway is entered in the CPU and no change is to be made to the hardware setting. The destination port is not defined and can be changed when establishing the connection. Figure 2-15 Tunnel endpoint: /24 PC: Gateway: VPN Config Each x VPN x CPU: Gateway: None CPU: Gateway: None VLAN1: /24 Requirements An existing IPSec tunnel with the SCALANCE S615 as the tunnel endpoint is the basis of this configuration. For example, the SOFTNET Security Client or another SCALANCE S connected upstream to the PC can be the VPN partner. For network separation, the SCALANCE S615 has VLANs with different network IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: ). Only VLAN1 is of interest to this configuration, as this is where the VPN tunnel terminates. To translate the message frames from the VPN tunnel to a different IP address, a NAT table is additionally defined in the SCALANCE S615. Entry ID: , V1.1, 08/

26 Siemens AG All rights reserved Process flow (active connection establishment from PC to CPU) Advantages Disadvantages All message frames from the VPN tunnel reach the SCALANCE S615 on subnet VLAN1. Using the definition in its NAT table, the SCALANCE S615 replaces the source IP address with its own IP address ( ) and sends the packet to the appropriate node. From the CPU s perspective, all packets are from the local subnet VLAN1 to which a direct reply is possible. In all reply packets from the CPU to the PC, the destination IP address is automatically replaced with the PC IP address. The assignment is made based on the existing state in the firewall, there is no manual assignment as with destination NAT. The advantage is that access is possible without having to change the settings in the terminals (reaction-free). The disadvantage is that, due to the identical source IP addresses, it is no longer clear which remote node sent the packets. NAT and firewall rules In the NAT table of the SCALANCE S615, all packets from the VPN tunnel are translated to a separate VLAN1 IP address. Figure 2-16 The firewall must allow communication between the VPN tunnel and the internal network, VLAN1. The services are unrestricted. Figure 2-17 Remarks Address translation using source NAT is performed behind the firewall; consequently, the remote VPN addresses must be used as the source range. By specifying /0, all IP addresses are allowed. This is necessary, for example, if the remote subnet of the tunnel is not known in advance when using SSC. The shown firewall rule is optional as, by default, all packets from the VPN tunnel are always enabled for VLAN1. When using a different or additional VLAN, this rule is always required. As the source interface of the firewall and NAT, you can either enable all tunnels ("IPSec all ) or select specific tunnels (via Interface = "Endpoint ). This configuration corresponds to the method of functioning of SINEMA RC when "Device is network gateway is not checked. This method, too, performs source NAT from the tunnel. Entry ID: , V1.1, 08/

27 Siemens AG All rights reserved NAT Table 2.9 S7 connection with double NAT Starting situation The CPUs are to establish an S7 connection to one another. No gateway is configured in the modules and no changes are to be made to the hardware settings. The S7 connection runs on a port that cannot be changed, TCP 102. Figure 2-18 VLAN2: /24 CPU2: Gateway: None Additional IP: CPU1: Gateway: None VLAN1: /24 Requirements For network separation, the SCALANCE S615 has two VLANs with different network IDs. As a result, the device has a separate IP address for each VLAN (in this document: VLAN1: and VLAN2: ). In addition, a source and destination NAT table is defined in the SCALANCE S615 to translate the CPU s message frames to a different IP address. This requires another IP address from the subnet of VLAN2. Entry ID: , V1.1, 08/

28 Siemens AG All rights reserved Process flow (active connection establishment from CPU2 to CPU1): Advantages Disadvantages The additional NAT IP address is used by the SCALANCE S615. CPU2 accesses the local IP address as the destination. Using the definition in its NAT table, the SCALANCE S615 replaces the source and destination IP address and sends the packet to CPU1. Due to the change of the source IP address, all packets, from CPU1 s perspective, are from CPU2 from the local subnet VLAN1. Therefore, CPU1 can reply directly without a gateway entry. In all reply packets from CPU1 to CPU2, the source and destination IP address is automatically replaced. The advantage of the NAT table is that, due to the use of an additional address, all ports can be forwarded or used. Subsequent changes to the CPUs hardware configuration are not required (reaction-free). The disadvantage is that only active connection establishment from CPU2 to CPU1 is possible. Furthermore, an additional IP address from the subnet of VLAN2 is required that must be configured accordingly. NAT and firewall rules The destination NAT table of the SCALANCE S615 translates packets from VLAN2 with the destination IP address to the CPU s IP address Figure 2-19 The source NAT table of the SCALANCE S615 translates packets with the source IP address to its own VLAN1 IP address Figure 2-20 The firewall must allow communication between CPU2 (VLAN2) and CPU1 (VLAN1). The services are limited to TCP port 102. Figure 2-21 Entry ID: , V1.1, 08/

29 Siemens AG All rights reserved Remarks Address translation using source NAT is performed behind the firewall; consequently, the physical addresses must be used here. Destination NAT has already been performed before the firewall; consequently, the translated addresses must be used here. The "Trans.Destination IP Subnet columns in the SCALANCE S615 may only be configured with a single IP address /32. Only then does the SCALANCE S615 reply to ARP requests for the additional IP addresses. Entry ID: , V1.1, 08/

30 Siemens AG All rights reserved 3 Valuable Information 3 Valuable Information 3.1 General principles Classless Inter-Domain Routing (CIDR) Description The firewall and NAT configuration in the S615 largely use CIDR suffix notation. CIDR is a method that combines multiple IPv4 addresses into a single address range by representing an IPv4 address combined with its subnet mask. To this end, the "/x suffix indicating the number ("x ) of network mask bits set to "1 is added to the IPv4 address. CIDR notation allows the user to reduce routing tables and make better use of the available address ranges. Example IPv4 address with subnet mask In the binary representation, the network portion of the address comprises three times 8 bits, i.e. 24 bits. This results in CIDR notation /24. If you want to access all addresses, use the following notation: /0. If you want to access only one address from the network (subnet mask: ), this results in the following notation: / Connection directions in the network What is decisive for the configuration of the firewall and NAT is the direction of connection establishment. Therefore, the direction must be defined in advance. A connection is always actively established by one node. The partner waits passively for the incoming connection. This defines the destination port (e.g., http on port 80) of connection establishment. Normally, the source port of connection establishment is dynamically managed by the operating system and not known in advance. Exceptions are, for example, native TCP/UDP connections between S7 CPUs or CPs where a fixed source port was defined. Note S7 connections always have the destination port TCP 102 and a dynamic source port. Entry ID: , V1.1, 08/

31 Siemens AG All rights reserved 3 Valuable Information NAT mechanisms NAT NAT (Network Address Translation) is a method of translating IP addresses in data packets. It can be used to interconnect two different networks (internal and external). There are two different NATs: source NAT that translates the source IP address and destination NAT that translates the destination IP address. IP masquerading IP masquerading is simplified source NAT. With each outgoing data packet sent via this interface, the source IP address is replaced with the IP address of the interface. The adapted data packet is sent to the destination IP address. To the destination host, it seems as if the requests always came from the same sender. The internal nodes cannot be directly accessed from the external network. Using NAPT, the services of the internal nodes can be made accessible via the external IP address of the device. IP masquerading can be used if the internal IP addresses cannot or should not be routed externally, for example, because the internal network structure should remain hidden. NAPT NAPT (Network Address and Port Translation) is a form of destination NAT and is also called port forwarding. It can be used to make services of the internal nodes accessible from the outside that are hidden by IP masquerading or source NAT. It translates incoming data packets from the external network that are intended for an external IP address of the device (destination IP address). The destination IP address is replaced with the IP address of the internal node. In addition to address translation, port translation is possible as well. Source NAT Like IP masquerading, source NAT translates the source IP address. In addition, it can be used to limit the outgoing data packets. This includes limiting them to certain IP addresses or IP address ranges and certain interfaces. These rules can also be applied to VPN connections. Source NAT can be used if the internal IP addresses cannot or should not be routed externally. NETMAP With NETMAP, complete subnets can be translated to a different subnet. This translation changes the subnet portion of the IP address and retains the host portion. For translating, NETMAP requires only one rule. NETMAP can translate both the source IP address and the destination IP address. To perform the translation with destination NAT and source NAT, many rules would be required. NETMAP can also be applied to VPN connections. Entry ID: , V1.1, 08/

32 Siemens AG All rights reserved 3 Valuable Information Firewall and NAT Firewall The security functions of the SCALANCE S615 include a stateful inspection firewall. This is a packet filtering / packet inspection method. The IP packets are inspected based on firewall rules that define the following: Allowed protocols IP addresses and ports of the allowed sources IP addresses and ports of the allowed destinations If an IP packet matches the specified parameters, it is allowed to pass through the firewall. The rules also specify what to do with IP packets that are not allowed to pass through the firewall. Simple packet filtering methods require two firewall rules per connection. One rule for the request direction from the source to the destination. And a second rule for the reply direction from the destination to the source. Stateful inspection firewall In contrast, when using a stateful inspection firewall, you only need to specify one firewall rule for the request direction from the source to the destination. The second rule is added implicitly. The packet filter remembers when, for example, computer "A communicates with computer "B and allows replies only when this is the case. A request from computer "B is therefore not possible without a prior request from computer "A. Firewall and NAT When configuring NAT, there is no automatic enable in the firewall. The NAT router settings and the firewall rules must be matched such that message frames with a translated address can pass through the firewall. What is important is the order in which the message frames pass through NAT and the firewall as IP addresses/ports are changed depending on the NAT used. When using destination NAT, the destination IP address and/or destination port are translated before passing through the firewall. Accordingly, the firewall rules must be created with the IP addresses and ports that have already been changed. When using source NAT, the source IP address is translated after passing through the firewall. The IP address that has already been changed can no longer be filtered in the firewall. Note For the SCALANCE S615, the number of firewall and NAT rules is limited to 64. The rules do not add up; consequently, 64 NAT and 64 firewalls rules are possible at the same time. Entry ID: , V1.1, 08/

33 Siemens AG All rights reserved 3 Valuable Information 3.2 S7 connections and NAT For S7 connections specified on both sides, both sides check the partner s IP address when the connection is established. As neither the source nor the destination IP address can be changed when using NAT, a connection using this method cannot work. Instead, create a new connection with the "unspecified partner on both modules or, alternatively, create a unilateral connection on resource 03 with PUT/GET. This setting allows you to manually enter the IP address. According to NAT, use the translated IP address with which the connection comes in or to which sending takes place. In the address details, enter the rack, slot and connection resource. Vice versa, the "Local values correspond to the "Partner entry of the other module. 3.3 TIA Online functions and NAT Source NAT makes no difference regarding the use of the TIA Online function as, by default, the PG connection is accepted from any IP addresses. When using destination NAT, the IP address in the project no longer matches the IP address translated by NAT through which the appropriate module can actually be accessed. Therefore, destination NAT requires that the translated NAT IP address to which you want to establish the connection be specified in advance: 1. In TIA Portal, open the "Online > Extended go online menu item. 2. Set the interface based on the PC or module interfaces you are using. 3. Select "Show accessible devices. 4. Click the first blank row of the "Address column. An input field appears, where you can enter the NAT IP address. Entry ID: , V1.1, 08/

34 Siemens AG All rights reserved 3 Valuable Information 5. Then use the appropriate button to search for devices. 6. Do not accept a suggestion to add another IP address and click "next. Entry ID: , V1.1, 08/

35 Siemens AG All rights reserved 4 Appendix 4 Appendix 4.1 Service and Support Industry Online Support Technical Support Do you have any questions or do you need support? With Industry Online Support, our complete service and support know-how and services are available to you 24/7. Industry Online Support is the place to go to for information about our products, solutions and services. Product Information, Manuals, Downloads, FAQs and Application Examples all the information can be accessed with just a few clicks: Siemens Industry s Technical Support offers you fast and competent support for any technical queries you may have, including numerous tailor-made offerings ranging from basic support to custom support contracts. You can use the web form below to send queries to Technical Support: Service offer Our service offer includes the following services: Product Training Plant Data Services Spare Part Services Repair Services Field & Maintenance Services Retrofit & Modernization Services Service Programs & Agreements For detailed information about our service offer, please refer to the Service Catalog: Industry Online Support The "Siemens Industry Online Support app provides you with optimum support while on the go. The app is available for Apple ios, Android and Windows Phone. Entry ID: , V1.1, 08/