What should you watch out for with remote access to a SIMATIC S7 with STEP 7 via the internet?
PG functions are used with STEP 7 to access an automation system (SIMATIC S7, for example) in the local network from the external network. Access is made via a gateway that uses the NAT (Network Address Translation) and NAPT (Network Address Port Translation) services.
In the above-mentioned examples, the PG functions permit the following with STEP 7:
- Downloading of the configuration and user program to the CPU.
- Monitoring of blocks and tags.
The PG functions, S7 communication etc. use Port 102 (TCP).
Information on the which protocol uses which TCP port is available in Entry ID: 8970169.
In the above-mentioned applications, you set the port forwarding in the DSL Modem/Router on the plant side and in the gateway so that the messages of Port 102 from the external network are forwarded to Port 102 of the IP address of the CPU. The IP address of the CPU is in the local network.
Example of port forwarding
|Remote access via internet
using port forwarding
|Access via NAT/NAPT||192.168.2.1||102||184.108.40.206||102||STEP 7|
With the settings below, in STEP 7 V5.x or TIA Portal you can address the fixed external IP address of the DSL modem/router on the plant side and the external IP address of the gateway in order to enable
- Monitoring of blocks and tags on the CPU via STEP 7 V5.x or TIA Portal.
- Downloading of the configuration via STEP 7 V5.x or TIA Portal.
- The correct IP address of the router must be set in the CPU's interface settings.
- The configuration with the IP address of the router must be loaded once into the CPU.
Instructions for STEP 7 V5.x
- In the SIMATIC Manager you open the program folder of the CPU.
- Select the menu "PLC > Access Address...".
- The first time you set the access address a message is displayed indicating that the access address has not been set before. Confirm the dialog with "OK".
- In the "Access Address" dialog you set the fixed external IP address of the DSL Modem/Router on the plant side and the external IP address of the gateway.
- Confirm the entry with "OK".
STEP 7 V5.x now attempts online access automatically via the set access address.
Instructions for the TIA Portal
The instructions below are valid for STEP 7 V13 SP1 (TIA Portal) and higher.
- In the project navigation you mark the desired CPU.
- Select the menu "Online > Extended download to device...".
- In the "Extended download to device" dialog you make the settings given below.
Type of the PG/PC interface: PN/IE
- PG/PC interface: network card of the PG/PC via which the online access is made
- Connection to interface/subnet: subnet of the CPU on which the online access is made, for example: "PN/IE_1"
- Double-click the item "Access address" to enter the fixed external IP address of the DSL modem/router on the plant side and the external IP address of the gateway via which the CPU can be reached.
- Confirm the entry with <Enter>. The TIA Portal attempts to reach the set IP address. Click the "Load" button to start the download procedure.
- TIA Portal now attempts online access automatically via the set access address.
Remember that with the above-mentioned remote access options the local network is not protected against unauthorized access. We therefore recommend that you use a VPN (Virtual Private Network) for remote access via the internet. Via VPN, you can use the PG functions with STEP 7:
- without changing the IP address of the Industrial Ethernet interface in the hardware configuration to monitor the blocks and
- without changing the IP address of the download interfaces to download the hardware configuration or user program into the CPU.
Instructions for configuring a VPN with SCALANCE S6x and SOFTNET Security Client are available in the following entries:
A description of the various WAN access methods for remote access to automation systems (SIMATIC S7, for example) is available in Entry ID: 26662448.
Siemens offers products and solutions with industrial security functions which support the secure operation of plants, solutions, machines, devices and/or networks. They are important components in a comprehensive industrial security concept. The Siemens products and solutions continue to be developed under this aspect. Siemens recommends that you keep yourself regularly informed about product updates.
For the safe operation of Siemens products and solutions it is necessary to take appropriate security measures (cell protection concept, for example) and to integrate each component in an overall industrial security concept which is state of the art. This should also cover the third-party products used. Additional information about Industrial Security is available here:
In order to keep yourself informed about product updates, you can arrange in the Siemens Industry Online Support to receive news about the products you use. Further information about this is available at:
Product Support > Saving filter settings .