Types of Network Address Translation (NAT) for Control Systems (Part 1)

Four types of Network Address Translation

In an earlier article, I discussed the concept of Network Address Translation. That article described why you, as a control engineer or machine builder, would want to implement NAT in an EtherNet/IP or PROFINET IO control system. In this article, I am going to describe the first two forms of Network Address Translation: 1:1 NAT and Port Forwarding.

1:1 NAT

A 1:1 NAT is simply a way to assign an external network address to one or more specific addresses inside a control system (EtherNet/IP, Modbus TCP, PROFINET IO – it doesn’t matter). In the nearby drawing, three 1:1 NATs are assigned by the network address translator device (NAT). The internal control system addresses of 192.168.100.x are assigned to individual external network addresses of 10.10.5.x.

1:1 NAT

Why Use 1:1 NAT?

Often, you’ll have devices on your control network that have data needed by application on your corporate network. For example, if you have a Modbus TCP device with temperature data, you can make that temperature data available to a client application on the external network.

Port Forwarding NAT

In Port Forwarding NAT you can make a number of devices available on the external network using a single address. Port numbers, you may remember, are numbers that identify specific applications. Port 80 identifies web server traffic, for example. Port forwarding is used to forward messages by porting to different internal addresses on the control network side of the Network Address Translator (NAT).

NAT Port Forwarding

Why Use it?

In many EtherNet/IP, PROFINET IO, and Modbus TCP control systems, there are devices with web servers. If you choose to make those web servers available on your external network, you have the problem of how to direct individual clients to each web server. You could use a single NAT for each of them, or you could use port forwarding. With port forwarding, you can make those web servers on HMIs and PLCs on your control network available using a single external IP address. Simply assign port numbers to each of the internal web servers and have clients use the port number to access a webserver on the specific device. In the example to the right, a client on the external network can access the internal device on 192.168.100.12 using port number 12001. The notation for that would be https://192.168.100.12:12001.

The next article in this series will discuss the next two types of NAT implementations; 1:many and outbound NATs.

PS: If you need NAT in your control system, you should check out the ICS-Defender NAT/RA device. Not only does the ICS Defender have full NAT capabilities to do all the network address translation discussed in these articles, but it also has Remote Access and many other features in a graphical, menu-driven interface. You can learn more about ICS Defender by clicking on ICS Defender NAT/RA.