Double NAT for Client Access to a PLC Across Networks

Network Topology

  • Devices Involved: A PLC (acting as a server), Industrial Firewall, and clients on Network B.

  • Setup:

    • Network A: 192.168.10.0/24 (PLC resides here).
    • Network B: 10.10.10.0/24 (HMI or external device).
    • The firewall has interfaces in both networks and translates traffic between them.

Benefit

  • Secure Cross-Network Access:

    • The PLC remains hidden from direct client access, reducing attack surfaces.
    • Communication occurs through the firewall.
  • Compatibility:

    • Allows legacy PLCs to communicate with modern devices on separate networks without altering their configurations.
  • Practical Use Cases:

    • A client application in Network B can fetch data or issue commands to the PLC securely.
    • PLC data can be monitored without exposing it to the entire client network.

Configuration Steps

Configure the IP for the LAN and DEVICE ports:

NAT Setting

Destination NAT (1:1 or Port Forwarding):

  • Create rules to forward client requests to the PLC’s IP on LAN interface.
  • Traffic from 10.10.10.9 destined for 10.10.10.1 (firewall IP in Network B) → 192.168.10.10 (PLC’s IP address)

Source NAT (Masquerading):

  • Create Masquerading rules to translate the source IP of packets from Network B to the firewall’s IP in Network A on DEVICE interface.
  • Traffic from 10.10.10.9 will be translated to 192.168.10.1 (firewall IP in Network B) (DEVICE’s port)

Firewall Rule

Create a rule based on the IP address after DNAT.

  • The initial connection is: 10.10.10.9 → 10.10.10.1
  • After DNAT, the connection will be: 10.10.10.9 → 192.168.10.10

PCAP Analyze

Traffic that is captured from 10.10.10.9

Traffic that is captured from 192.168.10.10

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard