gateway icon  PRODUCT SELECTOR:

Connect Your:

To:

RTA's Blog

Types of Network Address Translation (NAT) for Control Systems (Part 2)

Posted on by John S Rinaldi
Types of NAT
19
Jan

Part 1 of this series discussed 1:1 NAT and Port Forwarding NAT. This article continues with a discussion of two other Network Address Translations: 1:many and Outbound.

Note that the use cases for this discussion are generic but are useful for control system networks using EtherNet/IP, Modbus TCP, and PROFINET IO. Many of these concepts that follow (but not all) are IT concepts, and the use cases are going to be different than many of the IT use cases.

1:many NAT

1:many NAT is a more difficult NAT concept to understand than the concepts in the last article. It is a combination of 1:1 NAT and the Port Forwarding NAT. Unlike 1:1 NAT, the destination address in the control network can vary. Unlike Port Forwarding NAT, you can specify a slew of ports to use in the mapping. 1:many translates a series of ports on an inbound address to a series of destinations and port numbers inside the control network.

1:many NAT

Why Use it?

Given the limited scope of control systems and that we want to restrict the number of devices on the control system that is accessed by external clients, there aren’t many use cases for 1:many.

Outbound NAT

An Outbound NAT is simply a way for an internal device to easily map communication to a remote client. The NAT device substitutes the original target and port number for a new destination. The address of the NAT WAN interface is substituted for the originator of the message.

outbound NAT

Why Use it?

It is generally more secure for a control system device to initiate communications with a network device than it is for outside devices to try to connect to devices inside the control network.

Network Address Translation is a handy tool for control engineers and nearly vital for machine builders. There are lots of NAT devices built for IT, but these devices generally used the very cryptic notation that is common for trained IT professionals. Even the NAT devices from the large control system vendors are cryptic and hard to use.

An alternative is the ICS-Defender NAT/RA device from Dynics. Not only does the ICS Defender have full NAT capabilities to do all the network address translation discussed in the last two articles, but it also has Remote Access and many other features in a graphical, menu-driven interface. You can learn more about ICS Defender by clicking on ICS Defender NAT/RA.

Avatar photo
John S Rinaldi

John Rinaldi is Chief Strategist, Business Development Manager and CEO of Real Time Automation (RTA). After escaping from Marquette University with a degree in Electrical Engineering, John worked in various jobs in the Automation Industry before once again fleeing back into the comfortable halls of academia. At the University of Connecticut, he once again talked his way into a degree, this time in Computer Science (MS CS). John is a recognized expert in industrial networks and the author of six books: Modbus: The Everyman’s Guide to Modbus, OPC UA – Unified Architecture: The Everyman’s Guide to OPC UA, EtherNet/IP: The Everyman’s Guide to EtherNet/IP, The Smart Product Manager’s Guide to Industrial Automation Connectivity, The Smart Product Manager’s Guide to Connectivity in the Packaging Industry, and his latest, The Everyman’s Guide to Properly Architecting Ethernet/IP Networks.