gateway icon  PRODUCT SELECTOR:

Connect Your:

To:

RTA's Blog

Types of Network Address Translation (NAT) for Control Systems (Part 1)

Posted on by John S Rinaldi
Four types of Network Address Translation
12
Jan

In an earlier article, I discussed the concept of Network Address Translation. That article described why you, as a control engineer or machine builder, would want to implement NAT in an EtherNet/IP or PROFINET IO control system. In this article, I am going to describe the first two forms of Network Address Translation: 1:1 NAT and Port Forwarding.

1:1 NAT

A 1:1 NAT is simply a way to assign an external network address to one or more specific addresses inside a control system (EtherNet/IP, Modbus TCP, PROFINET IO – it doesn’t matter). In the nearby drawing, three 1:1 NATs are assigned by the network address translator device (NAT). The internal control system addresses of 192.168.100.x are assigned to individual external network addresses of 10.10.5.x.

1:1 NAT

Why Use 1:1 NAT?

Often, you’ll have devices on your control network that have data needed by application on your corporate network. For example, if you have a Modbus TCP device with temperature data, you can make that temperature data available to a client application on the external network.

Port Forwarding NAT

In Port Forwarding NAT you can make a number of devices available on the external network using a single address. Port numbers, you may remember, are numbers that identify specific applications. Port 80 identifies web server traffic, for example. Port forwarding is used to forward messages by porting to different internal addresses on the control network side of the Network Address Translator (NAT).

NAT Port Forwarding

Why Use it?

In many EtherNet/IP, PROFINET IO, and Modbus TCP control systems, there are devices with web servers. If you choose to make those web servers available on your external network, you have the problem of how to direct individual clients to each web server. You could use a single NAT for each of them, or you could use port forwarding. With port forwarding, you can make those web servers on HMIs and PLCs on your control network available using a single external IP address. Simply assign port numbers to each of the internal web servers and have clients use the port number to access a webserver on the specific device. In the example to the right, a client on the external network can access the internal device on 192.168.100.12 using port number 12001. The notation for that would be https://192.168.100.12:12001.

The next article in this series will discuss the next two types of NAT implementations; 1:many and outbound NATs.

PS: If you need NAT in your control system, you should check out the ICS-Defender NAT/RA device. Not only does the ICS Defender have full NAT capabilities to do all the network address translation discussed in these articles, but it also has Remote Access and many other features in a graphical, menu-driven interface. You can learn more about ICS Defender by clicking on ICS Defender NAT/RA.

Avatar photo
John S Rinaldi

John Rinaldi is Chief Strategist, Business Development Manager and CEO of Real Time Automation (RTA). After escaping from Marquette University with a degree in Electrical Engineering, John worked in various jobs in the Automation Industry before once again fleeing back into the comfortable halls of academia. At the University of Connecticut, he once again talked his way into a degree, this time in Computer Science (MS CS). John is a recognized expert in industrial networks and the author of six books: Modbus: The Everyman’s Guide to Modbus, OPC UA – Unified Architecture: The Everyman’s Guide to OPC UA, EtherNet/IP: The Everyman’s Guide to EtherNet/IP, The Smart Product Manager’s Guide to Industrial Automation Connectivity, The Smart Product Manager’s Guide to Connectivity in the Packaging Industry, and his latest, The Everyman’s Guide to Properly Architecting Ethernet/IP Networks.