×
Siemens Industry Online Support
Siemens AG
Entry type: FAQ Entry ID: 24533873, Entry date: 05/15/2019
(0)
Rate

How do you forward the encoded data packages from the VPN tunnel to specific internal nodes only?

  • Entry
  • Associated product(s)
Using the Industrial Security Appliances SCALANCE S615 and SCALANCE SC-600 you can connect networks with each other via a VPN tunnel. With additional firewall rules you can forward the data traffic to specific internal nodes only.

Overview
If you want all the encoded data packages incoming from the configured VPN tunnel to be forwarded to specific internal nodes only and the other internal nodes not to be accessible through the VPN tunnel, you can change the firewall of an Industrial Security Appliance accordingly.

How to configure the firewall will be demonstrated with a sample configuration. In this sample configuration the data packages from the VPN tunnel are to be forwarded only to internal nodes with the IP address 192.168.1.10. All other internal nodes are not to be accessible through the VPN tunnel.
 


Fig. 01

The Industrial Security Appliance represents a VPN tunnel end point.
All the encoded data packages incoming from the VPN tunnel always have the external IP address (here: 10.10.10.1) of the respective SCALANCE as target address. Only once the data packages have been decoded does the actual target address of the internal node become visible (here: 192.168.1.10).

The following figure shows two firewall rules.
 


Fig. 02

The first rule allows forwarding of the data packages from the configured VPN tunnel to a specific internal node. You must add a separate rule for each other internal node to which encoded data packages from the VPN tunnel are to be forwarded.
The drop rule prevents forwarding of the data packages to internal nodes that have a different IP address.


Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit
https://www.siemens.com/cybersecurity#Ouraspiration.