What configuration steps are necessary to forward the coded data packages incoming on the SCALANCE S61x from the VPN tunnel to specific internal nodes only?
In the following is information about what to watch out for when configuring the firewall for the SCALANCE S61x when all the coded data packages incoming from the VPN tunnel are to be forwarded to specific internal nodes only and the other internal nodes are not be accessible through the VPN tunnel.
Fig. 01: System overview
The SCALANCE S61x is a tunnel end point as far as the VPN is concerned.
All the the coded data packages incoming from the VPN tunnel always have the external IP address (192.168.10.14) of the respective SCALANCE S61x as target address. Only once the data packages have been decoded does the actual target address of the internal node (188.8.131.52) become visible.
The following figure shows three firewall rules.
Fig. 02: Firewall configuration in the Security Configuration Tool in the view -> "Extended Mode"
With the first rule all the data packages incoming from the tunnel are decoded.
The second rule allows forwarding of the data packages to a specific internal node. You must add a separate rule for each other internal node to which coded data packages from the VPN are to be forwarded.
The drop rule prevents forwarding of the data packages to internal nodes that have a different IP address.