9/19/2015 12:47 PM | |
Joined: 6/21/2012 Last visit: 8/23/2022 Posts: 14 Rating: (6) |
First off, no offence, but if you have little networking skill, then you should probably not be trying to configure a firewall as it can be a complicated process and there is a lot of terminology to try and understand! However, to answer your questions; 1. Yes you must use the SCT to configure the firewall correctly. Software is supplied with the hardware module or downloadable from Siemens. 2. You can set the IP addresses of the internal and external ports with tools such as PST (never tried with Portal), but this is not the same as configuring the rules. The factory default for the firewall is to block all communication (indeed, this is what happens if someone tries to tamper with the module as well). This is standard and what should happen as you do not want to install a firewall that's by default wide open as its just asking for trouble. 3. We always use Routing and configure the NAT table as it allows us to separate the networks more clearly. Also some of our equipment uses networks where there are very few free IP addresses, using NAT makes sense as we only need one address in the Control System network for the internal port on the firewall. 4. You can create a single rule that allows any communication to be allowed but it is not advisable to do so. You only need to create rules for the apps/services that you use. In your case, this is only 4 rules, TIA Portal/Step7, Startdrive, Scout and Web and would not take more than a minute to configure once you have the port numbers these apps use. Create each rule and then add them to a Group and use the group to apply the IP Services to the NAT entries. When I configure a firewall, I create a service group for Step7 (port 102), VPN (port 5900) and WinCC (don't remember the port number off top of my head) and just apply the group to the NAT entry on the Firewall tab. You can also just apply individual rules if you want as both individual and groups are selectable from the drop down list I will try to explain our typical setup which we use for remote connections as this will hopefully make things a bit clearer. We have a PC with 2 NIC. This PC is connected to the plant network and has internet access via the plant internet gateway. NIC1 has its address assigned by DHCP from the plant server giving us plant wide and internet connectivity. NIC2 has a static IP address usually set to 169.254.248.250. On this PC we also run a virtual machine which has Step7 or TIA Portal installed (also put your other software in here as well). The virtual machine is encrypted and needs a password to be able to open it. In the virtual machine there is only 1 virtual NIC with a static IP Address of 169.254.248.1. The virtual NIC is bridged to the physical PC NIC2 via the settings of the VM. NIC2 is connected to the external port of the firewall. Firewall internal and external ports are set as follows when the module is configured with SCT. Note you also need to supply the module MAC address to be able to access and configure it. Internal: 11.0.1.227 (just use an ip address in the same range as PLC that does not conflict) External: 169.254.248.10 (use ip address in same range as my VM and NIC2 static ip addresses) In your case, I would configure the firewall for NAT with the following; Note that I have used 11.0.1.20 as the PLC address in this example Source: 169.254.248.1 (the VM static ip address) Destination: 169.254.248.100 (the address I will use in Portal to access the PLC) Translation: 11.0.1.20 (the PLC) To access the control system (PLC) we open the virtual machine, start Step7/Portal and set the access address to 169.254.248.100 and go online. The firewall is configured translate the data packets on 169.254.248.100 to the PLC address of 11.0.1.20 For your configuration, I would not have NIC 2 in your VM be able to access the internet as it is a potential risk. NIC1 in your VM is OK. You cannot remote ping the Scalance if your NIC2 is configured for internet access as its will be on a different network to the Scalance which is on NIC1 (also S602 module by default does not respond to ping requests). The VPN likely gives you access to NIC2 only. Unless you can establish a remote connection to the PC and take control you should not be able to ping the Scalance switch. If you can, then the way the VPN is configured is a security breach and should be fixed immediately as there is also bridging configured to connect your NIC1 and NIC2. To allow us remote access, we use a service called GotoMeeting (www.gotomeeting.com) which enables a user on site to create an internet meeting from the PC (remember its got internet acces via the plany gateway), invite us to join and then hand over control of the PC. After you have been given control you can open Scout on the plant PC from your office over the internet. When they hand over control, it is the same as if you are sat in front of the PC and you have full control. I think this is what you are trying to achieve. Note GotoMeeting uses the internet and a secure internet connection with encryption and compression so performance and security are actually quite good. Also be aware that this is a paid for service with an annual fee which is equivalent to about 1 day charge for a service engineer to visit the site. Using GotoMeeting means we do not have to worry about VPN which can be a real pain in the backside to get working correctly, especially if hardware changes as the VPN will often have to be re-configured. Finally, I have attached an example SCT configuration file for you to look at. This must be opened with SCT v4 and use the following user name and password username: Davinator password: password1234 In this configuration file you will see examples of configuring the Double NAT, IP Services and IP Service Groups. You should be able to look at the various settings to get an idea of how to configure your own project quite quickly. Let me know if you need any more help or if my explanation is not very clear. Regards,
Mark AttachmentDavinatorExample.zip (398 Downloads) |
This contribution was helpful to2 thankful Users |
Follow us on