Stratix 5700 NAT Configuration

scarince

Lifetime Supporting Member
S
Join Date
Jan 2009
Location
Dayton, OH
Posts
152
I'm having a terrible time configuring the NAT. This is exactly the same issue that many others have appeared to have. I've read everything I can find including several good posts by The PLC Kid, but I'm just missing something here and could use another pair of eyes.

I have it configured but cannot ping anything on the private side from the public side. I'm trying to communicate with a 1756-ENBT/A. I *can* ping it from the private side.

Switch is a 1783-BM12T4E2CGNK
Only one vlan (vlan1).
Gi1/1 is the uplink.
All my ports are auto negotiate.
My Gi1/1 port is assigned to vlan1 since that is the only vlan.
The smartport is set for "switch for automation" and it has vlan trunking enabled in port configuration.

I've attached a document that shows my network and the configuration screens.

Can anyone see what I've forgotten?

Thank you.
 
I'm not familiar with this switch, but it looks like a standard NAT application. What address are you trying to ping when you say "ping from public to private side". Remember that the 192.168 addresses do not exist as far as the public side equipment is concerned. There is only one device visible from the public side, that's your switch on its public address.

If you can, set up a mirror port and use Wireshark to see what's happening in both the private and public ports.
 
Saffa said:
What address are you trying to ping when you say "ping from public to private side". Remember that the 192.168 addresses do not exist as far as the public side equipment is concerned. There is only one device visible from the public side, that's your switch on its public address.
Click to expand...

I have a 1756-ENBT in a chassis on the "private" side, IP=192.168.1.111.

In my NAT config I have given it a unique public address of 10.36.147.35. So I am trying to ping 10.36.147.35 from the "public" side to get it to respond. It will respond when I'm on the "private" side and I ping the .111 address.

I think one thing I might have wrong is that I have not configured a translation for my laptop that I'm pinging from. I had convinced myself that I didn't need to do this since the stratix is connected to a layer 3 switch, but I think that may not be correct. I can't figure out why I thought that.....something I read made me think that.

I am going to set up a translation for the the laptop and I'll also take your advice and try to see what I can see with Wireshark.

Thanks!
 
Not intending to hijack your thread but we are experiencing similar issues trying to get NAT to work with our 5700.

VLAN 1 = 192.168.1.19, 255.255.255.0
VLAN 105 = 10.56.105.199, 255.255.240.0

Laptop = local ip 192.168.1.21 connected to faI/1 (VLAN1)
Compactlogix PLC = local ip 192.168.1.20 connected to fa1/2(VLAN1)
Plant network = ip 10.56.105.199 connected to gi1/1(VLAN 105)

When setting up Nat we call the instance "plc" and under general > private 192.168.1.20 to public 10.56.105.200. Under public > private tab we enter the reverse. Under gateway we have 10.56.105.202 public to 192.168.1.200 private.

Has to be something simple that we are missing. Currently all smartports are set to none. When we switch either fa1/2 or gi1/1 smartports to Switch for Automation/ Trunk we lose our plant side connection. When they are set to none, we can at least access the switch device manager via laptop or desktop PC. Cannot ping the plc from the plant side and the switch itself does not show up in RSlinx.
 
Fourpaw, you may have already seen these but if not take a look at:

This Thread

and

This Thread

One of them mentions that the port set for "switch for automation" must have VLAN trunking enabed in port settings.

Take a look to see if anything in there helps. And let me know if you have luck.

Thanks.
 
scarince said:
I think one thing I might have wrong is that I have not configured a translation for my laptop that I'm pinging from. I had convinced myself that I didn't need to do this since the stratix is connected to a layer 3 switch, but I think that may not be correct. I can't figure out why I thought that.....something I read made me think that.

I am going to set up a translation for the the laptop and I'll also take your advice and try to see what I can see with Wireshark.

Thanks!
Click to expand...

You shouldn't have to set up anything in your laptop, other than making sure it's correctly configured for your public network.

Wireshark is very handy. I had a moxa device that appeared not to be working in NAT. Turns out it wasn't modifying the IP header the way i thought it was, and was retaining the sender IP as the public side address instead of swapping it for it's own private side address. So the device receiving the message had no idea how to route the response. There was already a default gateway configured which pointed to another device so i had to set up some static routes to get it working.

Long story short, Wireshark will let you figure out where that ping is getting to and possibly why you're not getting a response.
 
scarince said:
Fourpaw, you may have already seen these but if not take a look at:

This Thread

and

This Thread

One of them mentions that the port set for "switch for automation" must have VLAN trunking enabed in port settings.

Take a look to see if anything in there helps. And let me know if you have luck.

Thanks.
Click to expand...
Yes I have seen those and have tried to set gu1/1 port to "switch for automation" as well as RJ45 and trunking and it drops the plant connection via Vlan4 right away.

Vlan 1 is setup using IP192.168.1.XXX on subnet mask 255.255.255.0 and our plant network is setup as Vlan105 with 10.56.105.XXX with subnet mask 255.255.240.0.

The 5700 Switch, PLC and the translation table are all setup as per above... having a real hard time figuring out what's missing here lol.
 
I feel the same way, like I'm right on the edge of getting this to work.

I took a few steps backward this week and discovered that my problem (or one of them) may be more basic. I realized that I can't even get a ping response from the 5700 on the public side, so I had to back up and confirm that all the connections on the Corp. IT side are working, and they are. I may have had a mistake in which vlans I had bound to which port, but I've made so many configuration changes that I'm not sure anymore what I had setup when.

I'm going to recheck everything and try again on Monday, get the 5700 to answer the ping, and then go from there.
 
Have a look at Technote 587792 - Simple Stratix 5700 NAT Setup.

Finally got ours to work. Didn't need to have a 2nd Vlan, didn't need to configure smartports... just needed to put "only" the PLC and Switch Private to Public translations under the NAT General tab, and "only" my network PC static IP address translation to a private address - under the Public to Private tab. Gateway section was left blank.

All thats left to do now is to play around with the smartports as they do affect my plant connection when they are NOT set as "none"...
 
scarince,

It's there alright. Try this link...

587792 - Simple Stratix 5700 NAT Setup
Access Level: Everyone

Also have a look here, even though I also linked this in one of the threads you linked to earlier...

554727 - Stratix 5700: NAT(Network Address Translation) Configuration
Access Level: TechConnect

...and here...

596742 - Connect to a Stratix 5700 NAT switch on the Public Side
Access Level: TechConnect

...and while we're at it...

619491 - How to configure the Stratix 5700 with NAT to handle multiple identical machines.
Access Level: Everyone

...and here for good measure...

543731 - Number of Supported NAT Entries on the Stratix 5700 with NAT
Access Level: Everyone

Regards,
George
 
Geospark said:
scarince,

It's there alright. Try this link...
Click to expand...

George, thank you so much. I had some kind of filter turned on in my TechConnect account that caused my searches to return *nothing*. You really helped me out by pointing out the existence of those documents.

I followed the guidance of 587792 - Simple Stratix 5700 NAT Setup and, it worked! I could ping a plc on the private side and I could ping the 5700 itself and access the management pages.

So then I ran down to the floor, plugged into the plant network and, I get nothing.

Plant IT has provided a drop (and a static IP address) to the assembly line that is on the vlan that they have designated for industrial controls. They tell me I'm connecting to a layer three switch but that's all I know about it at this time.

I can take my laptop and configure it with that static address they gave me, and I can successfully ping it from the server I will eventually talk to. So that works.

But when I configure the 5700 with that address and the plug it in, it won't answer the ping.

I used wireshark to watch the uplink port. I can see the ping request come in (as we have already witnessed by trying that using my laptop as the target) but the switch doesn't answer.

The only thing that is different is that I'm trying to get the switch to answer this ping instead of my laptop.

I'm going to approach the IT guys, but they are already confused about the 5700. They don't understand how it can work without there being a link between the mac ID of the switch and an IP address. I'm wondering if they need to somehow change their switch configuration of the drop they gave me.

More to follow.
 
Make sure in the public to private tab you add the IP address of the plant side PC you are trying to access from and an unused local address. Can also try setting all smartports to none.
 
Last edited:
I've made progress. The NAT seems to be fully functional now, but I still cannot communicate to the data collection server. I failed to notice that the server is in a different subnet.

All of my "Public" addresses for my 5700 and devices are 10.36.147.xxx, but the server that I want to talk to is 10.36.145.27

I have a public to private translation for this server setup in the NAT configuration.

The gateway address for the .147 subnet is .1 so shouldn't putting that gateway address in the NAT configuration "Gateway" entry be enough, or is the solution to this more complicated?
 

Similar Topics

O
Nat tables/stratix 5700
OK. so for the past week i have been working on setting up our plant wide scada system and changing addresses over to the new network. We have 1...
Replies
4
Views
1,774
old97ss
O
L
Stratix 5700 NAT
Dear all, again thread about NAT on Stratix 5700. I configured NAT in accordance with manuals, and can ping inside PLC from my laptop (that...
Replies
0
Views
2,055
legiopatrionostra
L
A
Stratix 5700 NAT translation
Hello Guys, I need your expertise regarding with the Stratix Switch 5700, actually we have bunch of PLCs connected to the network and all plc are...
Replies
0
Views
2,581
apolionman
A
A
Stratix 5700 NAT
I was hoping to get some help with a Stratix 5700 switch and NAT. We are building a series of identical machines. Lots of remote I/O, etc. Each...
Replies
1
Views
2,882
agarb
A
A
Stratix 5700 NAT Setup Help
Hi I am trying to get NAT setup on a 5700 which I need to connect to a plant network. My machine has 30 private IP Addresses going from...
Replies
2
Views
4,963
Davkul
D
Back
Top Bottom