Name: Siemens S7-1200
Brand: Siemens
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Configuration and operation

4.13 Security functions

CP 1243-7 LTE

Operating Instructions, 01/2015, C79000-G8976-C381-01

4.13.1.6

CP as passive subscriber of VPN connections

Setting permission for VPN connection establishment with passive subscribers

If the CP is connected to another VPN subscriber via a gateway, you need to set the

permission for VPN connection establishment to "Responder".

This is the case in the following typical configuration:

VPN subscriber (active) ⇔ gateway (dyn. IP address) ⇔ Internet ⇔ gateway (fixed IP

address) ⇔ CP (passive)

Configure the permission for VPN connection establishment for the CP as a passive

subscriber as follows:

1. In STEP 7, go to the devices and network view.

2. Select the CP.

3. Open the "VPN" tab.

4. For each VPN connection with the CP as a passive VPN subscriber, change the default

setting "Initiator/Responder" to the setting "Responder".

4.13.2

Firewall

4.13.2.1

Firewall sequence when checking incoming and outgoing frames

Each incoming or outgoing frame initially runs through the MAC firewall (layer 2). If the frame

is discarded at this level, it will not be checked by the IP firewall (layer 3). This means that

with suitable MAC firewall rules, IP communication can be restricted or blocked.

4.13.2.2

Notation for the source IP address (advanced firewall mode)

If you specify an address range for the source IP address in the advanced firewall settings of

the CP, make sure that the notation is correct:

● Separate the two IP addresses only using a hyphen.

Correct: 192.168.10.0-192.168.10.255

● Do not enter any other characters between the two IP addresses.

Incorrect: 192.168.10.0 - 192.168.10.255

If you enter the range incorrectly, the firewall rule will not be used.

4.13.2.3

Firewall settings for S7 connections via a VPN tunnel

IP rules in advanced firewall mode

If you set up S7 connections with a VPN tunnel between the CP and a communications

partner, you will need to adapt the local firewall settings of the CP:

Select the "Allow*" action for S7 connections in advanced firewall mode ("Security > Firewall

> IP rules") for both communications directions of the VPN tunnel.

Other manuals for Siemens S7-1200

System Manual1028 pages

Manual46 pages

Questions and Answers:

Need help?

Do you have a question about the Siemens S7-1200 and is the answer not in the manual?

Siemens S7-1200 Specifications

General

Digital Inputs	Integrated in CPU or via signal modules (SM)
Digital Outputs	Integrated in CPU or via signal modules (SM)
Analog Inputs	Integrated in CPU or via signal modules (SM)
Analog Outputs	Integrated in CPU or via signal modules (SM)
Communication	PROFINET
Communication Ports	1 x PROFINET
I/O Modules	Signal Modules (SM)
Programming	STEP 7
Power Supply	24V DC
Operating Temperature	0°C to 55°C
Expansion Modules	Communication Modules (CM), Battery Modules (BM)