Port 102 should be correct.
I would assume that the NAT'ed addresses are different than the machine network addresses, so I would guess that you cannot merely start the same HMI program on the machine network. But since it works, there is something I dont understand.
There is probably a Router in the machine network for the VPN connection from the office to the machine network. Is this router setup in the S7-1500 program ?
A sketch of the network would be helpful.
I am not on site there just now, I'm working elsewhere this week but need to find the cause of the problem somehow. It's a big factory with lots of equipment, some of which I've been involved with installing but most of it was done by others.
The particular line I'm having problems with has a main panel with a S7-1512SP-1 PN cpu with a single network port (the other 2 ports are optional at the time of purchase and weren't chosen) and a 5 port unmanaged XB005 Scalance switch. From this switch there are 2 outgoing network cables, each of which go off to a remote panel at each end of the production line. In the filling end of the line there is a HMI screen, an ET200SP IM155-6PN ST remote I-O module and a 5 port unmanaged XB005 network switch with an incoming network cable from the cpu panel. At the other end of the line there is an identical set up except that there are 2 external network cables coming into the panel instead of one and they both go directly into the network switch. One cable will be from the CPU panel and the other will link somewhere to the customer network.
The IT people informed me today that all the CPU's are configured to allow access from the PC using port 102. They can see the offending CPU on their network but are unable to ping it from their nearest managed switch. When I tried using Telnet from the PC when I was last on site all other plc's were listening on port 102 but it failed to get a response from the plc and gave an error saying it was unable to connect.
The machine network is on a different network range than the corporate network and I have no details of what they've used to configure the firewall but they sent me this from their ping testing:
-------------------------------------------
It is not a Firewall issue as I can see the port authenticated in our managed switch:
CABK-SWUKCLF02#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.5.236.190 0 ac64.1716.6050 ARPA Vlan61
CABK-SWUKCLF02#sh mac add add ac64.1716.6050
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
61 ac64.1716.6050 STATIC Gi1/0/10
Total Mac Addresses for this criterion: 1
CABK-SWUKCLF02#sh auth sess int Gi1/0/10 | inc ac64.1716.6050
Gi1/0/10 ac64.1716.6050 mab DATA Auth 02ED050A0000001CB00515A7
CABK-SWUKCLF02#
CABK-SWUKCLF02#ping 10.5.236.190
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.236.190, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
-------------------------------------------
I've suggested they try to power the CPU down at some point when convenient to see if this resolves it.