How do you forward the encoded data packages from the VPN tunnel to specific internal nodes only?
If you want all the encoded data packages incoming from the configured VPN tunnel to be forwarded to specific internal nodes only and the other internal nodes not to be accessible through the VPN tunnel, you can change the firewall of an Industrial Security Appliance accordingly.
How to configure the firewall will be demonstrated with a sample configuration. In this sample configuration the data packages from the VPN tunnel are to be forwarded only to internal nodes with the IP address 192.168.1.10. All other internal nodes are not to be accessible through the VPN tunnel.
The Industrial Security Appliance represents a VPN tunnel end point.
All the encoded data packages incoming from the VPN tunnel always have the external IP address (here: 10.10.10.1) of the respective SCALANCE as target address. Only once the data packages have been decoded does the actual target address of the internal node become visible (here: 192.168.1.10).
The following figure shows two firewall rules.
The first rule allows forwarding of the data packages from the configured VPN tunnel to a specific internal node. You must add a separate rule for each other internal node to which encoded data packages from the VPN tunnel are to be forwarded.
The drop rule prevents forwarding of the data packages to internal nodes that have a different IP address.