Siemens Industry Online Support
Siemens AG
Entry type: FAQ Entry ID: 24533873, Entry date: 02/09/2007

What configuration steps are necessary to forward the coded data packages incoming on the SCALANCE S61x from the VPN tunnel to specific internal nodes only?

  • Entry
  • Associated product(s)

Configuration Notes:
In the following is information about what to watch out for when configuring the firewall for the SCALANCE S61x when all the coded data packages incoming from the VPN tunnel are to be forwarded to specific internal nodes only and the other internal nodes are not be accessible through the VPN tunnel.

( 13 KB )
Fig. 01: System overview

The SCALANCE S61x  is a tunnel end point as far as the VPN is concerned.
All the the coded data packages incoming from the VPN tunnel always have the external IP address ( of the respective SCALANCE S61x as target address. Only once the data packages have been decoded does the actual target address of the internal node ( become visible.

The following figure shows three firewall rules.

( 74 KB )
Fig. 02: Firewall configuration in the Security Configuration Tool in the view -> "Extended Mode"

With the first rule all the data packages incoming from the tunnel are decoded.
The second rule allows forwarding of the data packages to a specific internal node. You must add a separate rule for each other internal node to which coded data packages from the VPN are to be forwarded.
The drop rule prevents forwarding of the data packages to internal nodes that have a different IP address.

Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit