WinccFlexible RT to S7-1500 through Firewall with NAT

[beethoven_ii]

I have developed a WinCC Flexible runtime in TIA V17 which is to display data from 7x S7-300 plc's and 1x S7-1500 plc. The runtime sits on a newly installed PC in the customer's offices and their overseas IT department have configured their firewall using NAT to allow Ethernet communications between the corporate network and the machine network for this. When I fire up the runtime on the PC I get communications to the 7x S7-300 plc's but not the 1x S7-1500 plc. I told the IT people that the runtime would communicate to the plc's using TCP port 102 which should be correct from what I've read on the Siemens website and in their literature. If I take my laptop into the factory and plug in anywhere on their machine network and fire up the runtime using a machine network IP I get communications to all 8 plc's without any problems. IT are adamant their configuration is correct and can see the plc on their network, so I'm left wondering if I need a different port or something else adding for an S7-1500 plc when using NAT or through a Firewall.

Any advice would be greatly appreciated.

TIA

 

[beethoven_ii]

I should add that the PC the runtime sits on isn't in the hardware configuration of any of the plc's I'm communicating with. I have set up connections in the HMI project using 7x S7 300/400 communications drivers and 1x S7 1500 and it works flawlessly on my laptop without the firewall. Everything points to the firewall being the problem but IT are not having it.

 

[JesperMP]

Port 102 should be correct.

I would assume that the NAT'ed addresses are different than the machine network addresses, so I would guess that you cannot merely start the same HMI program on the machine network. But since it works, there is something I dont understand.

There is probably a Router in the machine network for the VPN connection from the office to the machine network. Is this router setup in the S7-1500 program ?

A sketch of the network would be helpful.

 

[mk42]

Does your V17 1500 have the "legacy comms" and "put get" enabled under security in the HW properties?


By default, starting in V17, the old style S7 comms don't work, in favor of the new encrypted comms (that WinCC Flex doesn't and won't support).

 

[JesperMP]

Does your V17 1500 have the "legacy comms" and "put get" enabled under security in the HW properties?
By default, starting in V17, the old style S7 comms don't work, in favor of the new encrypted comms (that WinCC Flex doesn't and won't support).

he wrote this:

I have set up connections in the HMI project using 7x S7 300/400 communications drivers and 1x S7 1500 and it works flawlessly on my laptop without the firewall.

So that cannot be the explanation.

 

[mk42]

he wrote this:
So that cannot be the explanation.

Welp, nevermind then, missed that. Good call.

 

[beethoven_ii]

Port 102 should be correct.

I would assume that the NAT'ed addresses are different than the machine network addresses, so I would guess that you cannot merely start the same HMI program on the machine network. But since it works, there is something I dont understand.

There is probably a Router in the machine network for the VPN connection from the office to the machine network. Is this router setup in the S7-1500 program ?

A sketch of the network would be helpful.

I am not on site there just now, I'm working elsewhere this week but need to find the cause of the problem somehow. It's a big factory with lots of equipment, some of which I've been involved with installing but most of it was done by others.

The particular line I'm having problems with has a main panel with a S7-1512SP-1 PN cpu with a single network port (the other 2 ports are optional at the time of purchase and weren't chosen) and a 5 port unmanaged XB005 Scalance switch. From this switch there are 2 outgoing network cables, each of which go off to a remote panel at each end of the production line. In the filling end of the line there is a HMI screen, an ET200SP IM155-6PN ST remote I-O module and a 5 port unmanaged XB005 network switch with an incoming network cable from the cpu panel. At the other end of the line there is an identical set up except that there are 2 external network cables coming into the panel instead of one and they both go directly into the network switch. One cable will be from the CPU panel and the other will link somewhere to the customer network.

The IT people informed me today that all the CPU's are configured to allow access from the PC using port 102. They can see the offending CPU on their network but are unable to ping it from their nearest managed switch. When I tried using Telnet from the PC when I was last on site all other plc's were listening on port 102 but it failed to get a response from the plc and gave an error saying it was unable to connect.

The machine network is on a different network range than the corporate network and I have no details of what they've used to configure the firewall but they sent me this from their ping testing:

-------------------------------------------
It is not a Firewall issue as I can see the port authenticated in our managed switch:

CABK-SWUKCLF02#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.5.236.190 0 ac64.1716.6050 ARPA Vlan61

CABK-SWUKCLF02#sh mac add add ac64.1716.6050
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
61 ac64.1716.6050 STATIC Gi1/0/10
Total Mac Addresses for this criterion: 1

CABK-SWUKCLF02#sh auth sess int Gi1/0/10 | inc ac64.1716.6050
Gi1/0/10 ac64.1716.6050 mab DATA Auth 02ED050A0000001CB00515A7
CABK-SWUKCLF02#

CABK-SWUKCLF02#ping 10.5.236.190
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.236.190, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

-------------------------------------------

I've suggested they try to power the CPU down at some point when convenient to see if this resolves it.

 

[beethoven_ii]

Port 102 should be correct.

I would assume that the NAT'ed addresses are different than the machine network addresses, so I would guess that you cannot merely start the same HMI program on the machine network. But since it works, there is something I dont understand.

There is probably a Router in the machine network for the VPN connection from the office to the machine network. Is this router setup in the S7-1500 program ?

A sketch of the network would be helpful.

When I used the runtime on the office pc I use the IP address of the pc in the connection settings of the HMI project but when I run it from my laptop I change the IP to a spare IP address on the machine network. I can connect into any of the 3 switches on this line and it works from my laptop and if I connect through a switch on another machine elsewhere in the factory it also works from my laptop.

They haven't added any physical hardware for this pc and my understanding is that they have used NAT through a firewall to link the pc on IP 10.5.217.35 subnet 255.255.255.240 to all of the plc's which are on IP range 10.5.236.xxx with subnet 255.255.255.0

 

[JesperMP]

If they cannot ping the PLC from the remote network, then they cannot 'see' it.
What do they mean by the statement that they 'can see the CPU'.
Can they ping any other device on the machine network from the remote network ?

I also don't understand your usage of the NAT. If the machine network's IP addresses are translated to other addresses on the remote network, then the HMI must use the translated addresses to access the PLCs.
It confuses me that you say that the 7 S7-300 connects fine, but not the S7-1500 PLC.
Try to list up all the IP addresses, subnets, routers, incl. the translated addresses.

 

[beethoven_ii]

Just a brief update in case anyone comes across this post with a similar problem. I have been working on other projects but finally resolved my issue today and the cause was the subnet mask of the S7-1500 plc. Every other plc I was connecting to was using 255.255.254.0 and this one had 255.255.255.0. It needed to be the same as the others in order for the connection to work through the firewall.

 

[Lare]

Is wirefall IP on 10.5.236.xxx range or 10.5.xxx.xxx?
Is PLC gateway IP same as firewall switch's IP?

 

[beethoven_ii]

I have no info on the firewall. It was configured and set up by the client's IT department and I believe they used NAT. The IP address of the PC is 10.5.217.35 and it sits in an office upstairs, separate to the machine network. They configured one port in the office to allow the pc to gather data from 8 plc's in the factory but one wouldn't work. The problem turned out to be that the subnet mask was different in that one.