Hello,

Thank you for the reply!

I may not have explained very well or not quite understand your reply (my lack of understanding) but I will attempt to explain the way I hope we can have packets traverse the network:

1. PLC-A (10.1.1.10) send IP Packet port 502 to router outside interface  G0 (10.1.1.3)
2. Router receives packet, translates source to IP of  F0 interface (172.16.0.3) and forwards packet to PLC-B address of 172.16.0.10 (IP src 172.16.0.3 IP dest 172.16.0.10)
3. PLC-B sees the packet being on the same subnet and replies to the inside interface of the router of 172.16.0.3 (IP src 172.16.0.10 IP dest 172.16.0.3)
4. Router receives packet on F0 and translates to source IP of G0 interface and forwards packet to PLC-A. (IP src 10.1.1.3 IP Dest 10.1.1.10).

In essence, I would like each side of the routers subnets appear like the PLC's are talking directy to their respective router interface and not rely on DFGW’s. I am using DFGW setting in the PLC's to forward packets to cell modem to get access to PLC Host system at a Gas Plant. The router is merely here to bridge to separate subnets together and not rely on this router to be the subnets DFGW.

I hope this makes sense?

Thanks!

Brett

It does but a few things -

1) how many PLCs need this communication. If it is more than one per subnet and they use the same port you can't use the interface IP for both because the router won't know which one you want to send it to.

You can use spare IPs in each subnet, if you have them. The router will respond for those IPs if you have a static NAT statement configured because of proxy arp so you don't have to use the interface IPs.

Do you have spare IPs ?

2) is the connection always on the same port and if so it that port you mentioned TCP.

Does the connection always get initiated from one subnet to the other or can it be initiated from either subnet ?

Again if it can be initiated from either subnet it would be better, depending on the number of PLCs to use spare IPs and have a one to one mapping.

Jon

Hi Jon,

Answers below...

1) how many PLCs need this communication. If it is more than one per subnet and they use the same port you can't use the interface IP for both because the router won't know which one you want to send it to.

BM-one PLC per subnet

You can use spare IPs in each subnet, if you have them. The router will respond for those IPs if you have a static NAT statement configured because of proxy arp so you don't have to use the interface IPs.

Do you have spare IPs ?

BM- I have a spare only on one of the subnets (inside)

2) is the connection always on the same port and if so it that port you mentioned TCP.

BM- YES random source port on Outside PLC to destination TCP port 502.

Does the connection always get initiated from one subnet to the other or can it be initiated from either subnet ?

BM- Yes, TCP communications will always be initiated from outside PLC to inside PLC.

Again if it can be initiated from either subnet it would be better, depending on the number of PLCs to use spare IPs and have a one to one mapping.

Thank you!

Which is the outside PLC and which is the inside ?

Just to clarify you say it will always be initiated from outside to inside but then say it would be better if it could be initiated either way.

So which is it ie. in the long term do you want it both ways ?

The thing is if you want multiple PLCs in the future on the same port you are going to need spare IPs.

Now you can use a totally different IP subnet on either side to give you those IPs and again the router will respond to those IPs as long as it has static NAT statements.

So if you need multiple PLCs and connections initiated from either side and it doesn't matter which IPs you use then probably best to say now and I can do a quick lab test to try and get a configuration for you.

Does that make sense ?

Jon

Hi Jon,

Outside PLC is in LAN A-- 10.1.1.3

Inside PLC is in LAN B-- 162.16.0.3

Short term, outside to inside is fine. I may be able to get an additional IP on the Outside but I do not manage that subnet and was only provided a single IP to put on the router Outside interface.

The network addresses and subnets I mention in this thread are fixed. 

Like I said, with Static NAt on the outside, the packet will get to PLC B but the source IP is from LAN A and therefor PLC B sends response to DFGW on LAN A....

Thanks for all of your help! I can make a drawing to help better illustrate if my description is not clear?

Thanks!

Sorry typo..clarification follows:

Hi Jon,

Outside PLC is in LAN A-- 10.1.1.3

Inside PLC is in LAN B-- 172.16.0.3

Short term, outside to inside is fine. I may be able to get an additional IP on the Outside but I do not manage that subnet and was only provided a single IP to put on the router Outside interface.

The network addresses and subnets I mention in this thread are fixed. 

Like I said, with Static NAT on the outside, the packet will get to PLC B but the source IP is from LAN A and therefor PLC B sends response to DFGW on LAN A...

Thanks for all of your help! I can make a drawing to help better illustrate if my description is not clear?

Thanks!

Hi Jon,

I attached a drawing for reference...

Brett

Did you see may last post.

I understand what you want to do already.

I just need to know if you have a spare IP on the inside ?

Please read my last post to understand why changing the outside IP to the router's inside interface isn't a good idea.

Jon

Hi Jon,

Your last post has not shown up in the forum but I did see the email.

Anyhow, yes, I have a fee IP on the inside 10.33.x.x network.

Thanks again

No problem.

So you have this already -

ip nat inside source static tcp 10.33.x.x 502 10.64.x.x 502 extendable

so from inside to outside a route lookup is done before NAT which is the issue because the router receives the return packet from the inside PLC and the destination IP is a 10.33.x.x IP and so it discards it because it has a directly connected interface in the IP subnet.

So you need add a route before the NAT ie. -

ip nat outside source static <PLC IP on outside> <spare IP on inside> add-route

what the add-route option does is to add a host specific route in your routing table which would look like -

<spare IP> 255.255.255.255 <PLC IP on outside>

because it is a host route it is more specific than the directly connected /24 you have for the inside network in the IP routing table and so it routes it to the outside interface and then does the NAT.

If the add-route option is not available then you can add it manually ie.

ip route <spare IP> 255.255.255.255 <PLC IP on outside>

Give it a go and let me know how you get on.

Jon

Hi Jon,

Sorry for my lack of understanding but I don't understand the following:

ip nat inside source static tcp 10.33.x.x 502 10.64.x.x 502 extendable

(BM- the above statement takes a packet from the Outside PLC 10.64.x.x and forwards it directly to 10.33.x.x). The inside PLC sees this packet but the source IP is from 10.64.x.3 which is not on his inside subnet so he sends the packet to it's default gateway of 10.33.x.1 which is the cell modem and not the router separating these subnets. If I make the inside PLC's default gateway the address of the router inside IP, packets go back and forth but this creates a situation where I cannot access the inside PLC via the cell modem. I would like the inside PLC to see the source of the original outside PLC packet to be from an address in the inside subnet (F0 interface)  so the packet goes back to the inside IP address of the router.) Does this make sense?

I have attached another drawing showing specifically what is happening. I should have sent this originally. I am not sure if this will change what you posted but it may help me better undertstand what comnmands may fix this.

Thank you again for your time in helping--I really appreciate it!

Brett

Are you not seeing my responses ?

My last post has given you the solution, did you not try it ?

You need both static NAT statements, the one you have and the one I provided for you to use.

I don't understand why you are not seeing my posts ?

Jon

Hi Jon,

I just implemented the following command and it now works. Thank you! I was wondering if you can explain how these nat statements and routing take place to better understand how this works. I have attempted to explain what each statement does but your expert advice/explanation would be greatly appreciated here...

ip nat inside source static tcp 10.33.5.2 502 10.64.41.196 502 extendable
ip nat outside source static 10.64.41.194 10.33.5.80 add-route

Am I to assume that the first ip nat inside is the redirection of packets it receives on the outside interface IP/port and to forward(or translate) to destination IP/port# ?

The second ip nat outside command is basically any source packets from 10.64.41.194 to replace with 10.33.5.80 as its natt'd source ip?

Is there any document you are aware of that simplifies some of the nat operations?