Scalance Xm-400 / XR-500 As Static NAT Router
Scalance Xm-400 / XR-500 As Static NAT Router
Scalance Xm-400 / XR-500 As Static NAT Router
Security Siemens provides products and solutions with industrial security functions that
Informa- support the secure operation of plants, systems, machines and networks.
tion In order to protect plants, systems, machines and networks against cyber
threats, it is necessary to implement – and continuously maintain – a holistic,
state-of-the-art industrial security concept. Siemens’ products and solutions only
form one element of such a concept.
The customer is responsible to prevent unauthorized access to its plants,
systems, machines and networks. Systems, machines and components should
only be connected to the enterprise network or the internet if and to the extent
necessary and with appropriate security measures (e.g. use of firewalls and
network segmentation) in place.
Additionally, Siemens’ guidance on appropriate security measures should be
taken into account. For more information about industrial security, please visit
http://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them
more secure. Siemens strongly recommends to apply product updates as soon
as available and to always use the latest product versions. Use of product
versions that are no longer supported, and failure to apply latest updates may
increase the customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial
Siemens AG 2018 All rights reserved
Contents
1 Introduction ........................................................................................................ 3
1.1 Network Address Translation ............................................................... 3
1.2 NAT Function in SCALANCE XM-400 / XR-500 .................................. 5
2 Task and Solution .............................................................................................. 7
3 Configuration ..................................................................................................... 9
3.1 Preparation ........................................................................................... 9
3.2 Configuration via the Web Based Management ................................ 11
3.2.1 Preparation ......................................................................................... 11
3.2.2 Create VLANs .................................................................................... 11
3.2.3 Define the IP Interface........................................................................ 15
3.2.4 Configure Static NAT .......................................................................... 17
3.3 Configuration via the Command Line Interface .................................. 21
3.3.1 Preparation ......................................................................................... 21
3.3.2 Create VLANs .................................................................................... 23
3.3.3 Define the IP Interface........................................................................ 27
3.3.4 Configure Static NAT .......................................................................... 28
4 Operation .......................................................................................................... 31
NAT
Entry ID: 109762688, V 1.0, 12/2018 2
1 Introduction
1 Introduction
1.1 Network Address Translation
Network Address Translation (abbreviation: NAT) was specified in the 1990s and is
described in the RFC 1631 among others.
The main motivation for developing NAT was the shortage of public IPv4
addresses and the possibility of using private addressing in distinct network areas.
NAT permits you to separate private and public network areas.
Brief description
NAT is a method in IP routers of replacing one IPv4 address in a data packet with
another IPv4 address. This permits two different networks (internal and external) to
be connected with each other.
If a data packet exceeds the network limit between an inside and an outside
network, the router exchanges the IP addresses accordingly. To replace the IP
addresses a translation table (NAT table) is stored in the IP router.
Figure 1-1
NAT-Tabelle
192.168.0.4 10.0.7.40
PC 1 PC 2
Siemens AG 2018 All rights reserved
Translation options
In the context of address translation, the terms NAT and NAPT (Network Address
Port Translation) are used in parallel. Technically speaking, the two procedures
differ as follows:
With NAT, an IPv4 address is replaced 1:1 by another IPv4 address. A
difference is made between Source NAT, in which the source IP address is
translated, and Destination NAT, in which the destination IP address is
translated. Both variants can also be used.
NAPT is an n:1 translation. With NAPT, multiple IPv4 addresses share a
single IPv4 address after translation. But port numbers are used here to
achieve exact assignment of the data packets.
Advantages
You have the following advantages when using the NAT function:
You can hide the IP addresses on industrial networks or on the outside.
NAT
Entry ID: 109762688, V 1.0, 12/2018 3
1 Introduction
NAT
Entry ID: 109762688, V 1.0, 12/2018 4
1 Introduction
Network separation
With the NAT function, the IP addresses of one subnetwork are translated into IP
addresses of another subnetwork.
For this, in SCALANCE, IP interfaces are used, each of which has been configured
as a virtual IP interface of a VLAN.
Terminology
In the NAT configuration in SCALANCE XM-400 or SCALANCE XR-500, the
subnetworks are divided into "Inside" and "Outside". The division is done from the
perspective of a NAT interface.
All networks that can be accessed themselves via the NAT interface are
considered to be "Outside" for this interface.
All networks that can be accessed via other IP interfaces of the same device are
considered to be "Inside" for this NAT interface.
In the following example we have two IP subnetworks connected together via a
SCALANCE XM-400. PC 1 is to communicate via NAT with PC 2. The IP networks
are divided as follows from the perspective of the NAT interface "10.0.7.1":
Siemens AG 2018 All rights reserved
VLAN 2: Outside
VLAN 1: Inside
Figure 1-2
Inside Outside
PC 1 PC 2
NAT
Entry ID: 109762688, V 1.0, 12/2018 5
1 Introduction
Perspective
Depending on the perspective, the IP address of a communications user is
designated "Local" or "Global".
Table 1-1
Perspective
Local Global
Position Inside A real IP address that is An IP address via which an
assigned to a device in the internal device can be
internal network. This address accessed from the external
cannot be accessed from the network.
external network.
Outside A real IP address that is assigned to a device in the external
network. Since only "Inside" addresses are translated, no
difference is made between Outside Local and Outside Global.
Note The NAT function is implemented as a software function in the SCALANCE XM-
400 and SCALANCE XR-500 and has a restricted bandwidth of 1.2 Mbit.
Therefore the entire NAT communication runs via the CPU in the SCALANCE
XM-400 and SCALANCE XR-500 and is in competition with the IP
communication that goes to the CPU, WBM and Telnet, for example.
Be aware that a large part of the computing capacity is occupied when you use
Siemens AG 2018 All rights reserved
NAT. This means that access via Telnet or WBM might be slower.
It is for this reason that the NAT function is best suited for just a few addresses
and small volumes of data. It is recommended to use a SCALANCE S615 or SC-
600 for high-performance applications.
NAT
Entry ID: 109762688, V 1.0, 12/2018 6
2 Task and Solution
PC 1 PC 2
192.168.0.4 10.0.7.4
Solution
To connect the two different IP subnetworks with each other, a SCALANCE
Siemens AG 2018 All rights reserved
PC 1 PC 2
NAT
Entry ID: 109762688, V 1.0, 12/2018 7
2 Task and Solution
NAT
Entry ID: 109762688, V 1.0, 12/2018 8
3 Configuration
3 Configuration
3.1 Preparation
Overview
The following figure shows the IP addresses, VLANs and virtual IP interfaces used
for this configuration.
Figure 3-1
PC 1 PC 2
P1.1 P1.2
NAT-Tabelle
Inside Local Inside Global
Siemens AG 2018 All rights reserved
192.168.0.4 10.0.7.44
10.0.7.4 192.168.0.44
Factory settings
Reset the SCALANCE to the factory settings to make sure that the function of the
example is not impaired by older configurations or settings.
Refer to the manual of the module for instructions about resetting to factory
settings.
Note When you reset the SCALANCE to factory settings, all the settings and IP
addresses are lost.
NAT
Entry ID: 109762688, V 1.0, 12/2018 9
3 Configuration
IP address
In order to configure the SCALANCE via the Web Based Management
(abbreviation: WBM) or via the Command Line Interface (abbreviation: CLI) the
module needs an IP address.
Assign the management IP address "192.168.0.1" to the SCALANCE.
Since PC 1 is in the same IP subnetwork as the management IP address of the
SCALANCE, you use PC 1 for assigning the IP address.
You can use the STEP 7 function "Edit Ethernet Node..." or the Primary Setup Tool
(PST), for example, to assign an IP address.
Configuration options
This example shows you two options for configuring the SCALANCE XM408-8C:
Web Based Management
Command Line Interface
Follow the instructions in section 3.2 to configure the SCALANCE using the Web
Based Management.
Follow the instructions in section 3.3 to configure the SCALANCE using the
Command Line Interface.
Configuration steps
Proceed as follows to configure the SCALANCE XM408-8C for operation as a NAT
Siemens AG 2018 All rights reserved
router:
Create VLANs
Define virtual IP interface
Activate NAT
Install static NAT
These configuration steps apply to configuration via the WBM and via the CLI.
NAT
Entry ID: 109762688, V 1.0, 12/2018 10
3 Configuration
To configure the SCALANCE via the Web Based Management you open an
internet browser on PC 1 and in the address line you enter the IP address of the
SCALANCE: https://192.168.0.1.
If you have reset the SCALANCE to factory settings, you log on with the following
data:
User: admin
Password: admin
You are requested to assign a new password. Follow the instructions and create a
new password.
When you have changed the password, then the home page of the Web Based
Management is displayed.
At least two IP interfaces are needed for the NAT function, each of which is
configured as a virtual IP interface of a VLAN. The management VLAN (VLAN 1)
and the associated virtual IP interface are present by default, you have to create a
second VLAN and also create a new virtual IP interface for that VLAN. The new
Siemens AG 2018 All rights reserved
NAT
Entry ID: 109762688, V 1.0, 12/2018 11
3 Configuration
2. A new entry is created in the table. The port fields are occupied by default with
"-" so that no port is assigned to the new VLAN.
Figure 3-4
3. You can enter a name for the VLANs in the "Name" column if you wish. Click
Siemens AG 2018 All rights reserved
NAT
Entry ID: 109762688, V 1.0, 12/2018 12
3 Configuration
NAT
Entry ID: 109762688, V 1.0, 12/2018 13
3 Configuration
NAT
Entry ID: 109762688, V 1.0, 12/2018 14
3 Configuration
The SCALANCE has a virtual IP interface of a VLAN for each adjacent subnetwork.
Two subnetworks are needed in this example (Inside and Outside). Therefore the
SCALANCE needs two IP interfaces.
In section 3.2.2 you have created the basis for another subnetwork by creating
another VLAN (VLAN 2).
Since the management VLAN (VLAN 1) and the associated virtual IP interface are
present by default, you have to create a new virtual IP interface for VLAN 2.
Another item is added to the interface table and shows the newly created IP
interface with the subnetwork that has not yet been configured.
Figure 3-11
NAT
Entry ID: 109762688, V 1.0, 12/2018 15
3 Configuration
2. In the "IP Address" input field you enter the IP address "10.0.7.1" and in the
"Subnet Mask" input field you enter the subnet mask "255.255.255.0".
Siemens AG 2018 All rights reserved
Figure 3-13
NAT
Entry ID: 109762688, V 1.0, 12/2018 16
3 Configuration
Activate NAT
In the "NAT" tab you can activate the NAT function globally for the device and
Siemens AG 2018 All rights reserved
define the NAT interfaces. When the NAT function has been activated globally for
the device and the NAT interfaces have been defined, the device operates as a
NAT router.
Proceed as follows to activate the NAT function.
1. Enable the "NAT" option to operate SCALANCE as a NAT router:
Figure 3-16
NAT
Entry ID: 109762688, V 1.0, 12/2018 17
3 Configuration
2. To define the interface "192.168.0.1" (VLAN 1) as NAT interface you open the
"Interface" drop-down list box and select "VLAN 1".
Activate NAT for the interface "192.168.0.1" (VLAN 1) by enabling the "NAT"
option.
Then click the "Set Values" button.
Figure 3-17
Activate NAT for the interface "10.0.7.1" (VLAN 2) by enabling the "NAT"
option.
Then click the "Set Values" button.
Figure 3-18
NAT
Entry ID: 109762688, V 1.0, 12/2018 18
3 Configuration
Proceed as follows to define the static address translation for the NAT interface
"192.168.0.1":
1. Open the "Interface" drop-down list box and select the NAT interface "VLAN 1".
VLAN 2 is "Inside" from the perspective of this NAT interface.
Siemens AG 2018 All rights reserved
In the "Inside Local Address" input field you enter the real IP address of PC 2
("10.0.7.4").
In the "Inside Global Address" input field you enter the IP address of PC 2
under which PC 2 is to be accessible from outside ("192.168.0.44").
Figure 3-20
NAT
Entry ID: 109762688, V 1.0, 12/2018 19
3 Configuration
Proceed as follows to define the static address translation for the NAT interface
"10.0.7.1":
1. Open the "Interface" drop-down list box and select the NAT interface "VLAN 2".
VLAN 1 is "Inside" from the perspective of this NAT interface.
In the "Inside Local Address" input field you enter the real IP address of PC 1
("192,168.0.4").
In the "Inside Global Address" input field you enter the IP address of PC 1
under which PC 1 is to be accessible from outside ("10.0.7.44").
Figure 3-23
Siemens AG 2018 All rights reserved
Note You have completed the configuration of the NAT function. An option for testing
the NAT function is given in chapter 4.
NAT
Entry ID: 109762688, V 1.0, 12/2018 20
3 Configuration
Setting up a connection
You need a terminal program to configure the SCALANCE using the Command
Line Interface. You can use the function integrated in Windows, a different terminal
program or the serial console cable.
In this example the free tool PuTTY is used.
Proceed as follows to establish a connection to the SCALANCE XM408-8C:
1. Start PuTTY and enter the IP address of the SCALANCE XM408-8C.
Select the required protocol, "SSH", for example.
2. Click the "Open" button to start the connection.
Figure 3-26
Siemens AG 2018 All rights reserved
If you have reset the SCALANCE to factory settings, you log on with the following
data:
User: admin
Password: admin
You are requested to assign a new password. Follow the instructions and create a
new password.
When you have changed the password and have logged on successfully, you get
the following input prompt: "CLI#".
Note In the following configurations it is assumed that you are logged in as "admin".
With that login you are automatically in the "Privileged EXEC mode" and have
extended access authorization.
NAT
Entry ID: 109762688, V 1.0, 12/2018 21
3 Configuration
You get to the Global Configuration mode by entering the following command in
the Privileged EXEC mode:
CLI# configure terminal
The following input prompt is displayed: "CLI(config)#".
NAT
Entry ID: 109762688, V 1.0, 12/2018 22
3 Configuration
At least two IP interfaces are needed for the NAT function, each of which is
configured as a virtual IP interface of a VLAN. The management VLAN (VLAN 1)
and the associated virtual IP interface are present by default, you have to create a
second VLAN and also create a new virtual IP interface for that VLAN. The new
VLAN becomes VLAN 2.
Outset
You are in the Global Configuration mode.
The following input prompt is displayed: "CLI(config)#".
Assigning a name
To assign the new VLAN a name (in this case: VLAN2), you call the "name"
command as follows and press the Enter key:
Siemens AG 2018 All rights reserved
NAT
Entry ID: 109762688, V 1.0, 12/2018 23
3 Configuration
NAT
Entry ID: 109762688, V 1.0, 12/2018 24
3 Configuration
Port 1.2 is assigned to VLAN 2 as only member. The port is "untagged" and
has the PVID 2.
Port 1.1 is assigned to VLAN 1 as only member. The port is "untagged" and
has the PVID 1.
NAT
Entry ID: 109762688, V 1.0, 12/2018 25
3 Configuration
To view the PVID settings you call the "do show" command as follows and then
press the Enter key:
CLI(config)# do show vlan port config
Figure 3-28
Siemens AG 2018 All rights reserved
You see that the PVID setting for port P1.2 is configured on VLAN ID 2. All
incoming packets at port P1.2 are tagged with the VLAN ID 2.
NAT
Entry ID: 109762688, V 1.0, 12/2018 26
3 Configuration
The SCALANCE has a virtual IP interface of a VLAN for each adjacent subnetwork.
Two subnetworks are needed in this example (Inside and Outside). Therefore the
SCALANCE needs two IP interfaces.
In section 3.3.2 you have created the basis for another subnetwork by creating
another VLAN (VLAN 2).
Since the management VLAN (VLAN 1) and the associated virtual IP interface are
present by default, you have to create a new virtual IP interface for VLAN 2.
Outset
You are in the Global Configuration mode.
The following input prompt is displayed: "CLI(config)#".
NAT
Entry ID: 109762688, V 1.0, 12/2018 27
3 Configuration
Outset
You are in the Global Configuration mode.
The following input prompt is displayed: "CLI(config)#".
Activate NAT
You can use the "ip nat" command to activate the NAT function globally for the
device. When the NAT function has been activated globally for the device and the
NAT interfaces have been defined, the device operates as a NAT router.
To activate the NAT function you call the "ip nat" command as follows and then
press the Enter key:
CLI(config)# ip nat
If you want to operate the interface "192.168.0.1" (VLAN 1) as NAT interface you
have to switch to the configuration mode of the VLAN 1 interface.
You open the configuration mode of the VLAN 1 interface by calling the "interface"
command as follows and then pressing the Enter key:
CLI(config)# interface vlan 1
The following input prompt is displayed: "CLI(config-if-vlan-1)#".
To activate NAT for this VLAN interface you call the "ip nat" command as follows
Siemens AG 2018 All rights reserved
If you want to operate the interface "10.0.7.1" (VLAN 2) as NAT interface you have
to switch to the configuration mode of the VLAN 2 interface.
You open the configuration mode of the VLAN 2 interface by calling the "interface"
command as follows and then pressing the Enter key:
CLI(config)# interface vlan 2
The following input prompt is displayed: "CLI(config-if-vlan-2)#".
To activate NAT for this VLAN interface you call the "ip nat" command as follows
and then press the Enter key:
CLI(config-if-vlan-2)# ip nat
To quit the configuration mode of the VLAN interface you call the following
command and press the Enter key:
CLI(config-if-vlan-2)# exit
The following input prompt is displayed: "CLI(config)#".
NAT
Entry ID: 109762688, V 1.0, 12/2018 28
3 Configuration
You configure the static 1:1 address translation in the corresponding configuration
mode of the NAT interface. You define the Inside Global address into which the
Inside Local address of a device is to be translated and vice versa.
In this example the NAT table is filled in as follows:
Table 3-3
Inside Local Inside Global
PC 1 192.168.0.4 10.0.7.44 If you want to define static
address translation for the
PC 2 10.0.7.4 192.168.0.44 NAT interface "192.168.0.1"
(VLAN 1) you have to switch to the configuration mode of the VLAN 1 interface.
You open the configuration mode of the VLAN 1 interface by calling the "interface"
command as follows and then pressing the Enter key:
CLI(config)# interface vlan 1
The following input prompt is displayed: "CLI(config-if-vlan-1)#".
If you want to define static address translation for the IP interface "192.168.0.1"
you call the "ip nat static" command as follows and then press the Enter key:
CLI(config-if-vlan-1)# ip nat static 10.0.7.4 192.168.0.44
To quit the configuration mode of the VLAN interface you call the following
command and press the Enter key:
CLI(config-if-vlan-1)# exit
The following input prompt is displayed: "CLI(config)#".
Siemens AG 2018 All rights reserved
If you want to operate the interface "10.0.7.1" (VLAN 2) as NAT interface you have
to switch to the configuration mode of the VLAN 2 interface.
You open the configuration mode of the VLAN 2 interface by calling the "interface"
command as follows and then pressing the Enter key:
CLI(config)# interface vlan 2
The following input prompt is displayed: "CLI(config-if-vlan-2)#".
If you want to define static address translation for the IP interface "10.0.7.1" you
call the "ip nat static" command as follows and then press the Enter key:
CLI(config-if-vlan-2)# ip nat static 192,168.0.4 10.0.7.44
To quit the configuration mode of the VLAN interface you call the following
command and press the Enter key:
CLI(config-if-vlan-2)# exit
The following input prompt is displayed: "CLI(config)#".
NAT
Entry ID: 109762688, V 1.0, 12/2018 29
3 Configuration
To view the address translation you call the "do show" command as follows and
then press the Enter key:
CLI(config)# do show ip nat static
The static address translation table is displayed.
Figure 3-30
Siemens AG 2018 All rights reserved
NAT
Entry ID: 109762688, V 1.0, 12/2018 30
4 Operation
4 Operation
The simplest way of testing the NAT function is the PING command.
Proceed as follows to test the communication between PC 1 and PC 2:
1. Open the console window on PC 1.
3. You see the result of the PING command in plain text. If PC 2 is accessible,
PC 2 responds to the PING command and the statistics show no lost packet.
Figure 4-2
Siemens AG 2018 All rights reserved
Note To test the communication from PC 2 to PC 1, you open the console window on
PC 2 and enter the command "ping 10.0.7.44".
NAT
Entry ID: 109762688, V 1.0, 12/2018 31