Enable Access ctrlX AUTOMATION using Network Address Translation (NAT)

Introduction - A Machine Builder's Situation

IP addressing for all electrical devices with ethernet capabilities are a challenge in the manufacturing ecosystem. Machine Builders have to start with a standard setup of IP addresses. When deploying into the field these IP addresses have mostly be changed when integrating into an OT-network with a lot of already existing devices. Depending on the size of the plant new addressing can take some time and new hurdles might appear when integrating.

To ease this situation Moxa created the NAT-102. Machine Builders can use the function of Network Address Translation to let machine builders use their standard setup of IP addresses for all their machines. Even when deploying more of the same machine type into the same plant or line without causing communication issues due to same IP addresses. The NAT-102 can take care about this with creating an external unique IP address to be reachable. This reduces engineering time and also eases the service effort when machines have to be reached and analyzed in moments of failure.

This How-to shows how to create one of those scenarios when controlling your machine with ctrlX AUTOMATION.

NAT-102 configuration

Purpose

The goal is to provide means of flexible integration of multiple ctrlX CORE, deployed with same IP configuration to your ctrlX PLC Engineering station using MOXA NAT-102, 2-port industrial Network Address Translation (NAT) devices.

An example topology could be as seen below. Each ctrlX CORE comes with the same IP configuration but should connect to the same network of ctrlX PLC Engineering station.

Configuration Topology

Configuration PC: IP address192.168.127.50/24NAT - 102 Default IP address192.168.127.254/24

The IP of the configuration PC can be any IP that is not used, within the 192.168.127.x network.
The NAT-102 comes with two ports having default LAN IP address is 192.168.127.254.

The internal port (Port 1) will connect to the ctrlX Core in 192.168.1.x network.
The external port (Port 2) will be used as WAN port to connect to the upper-level
network, in our case 192.168.127.x

This leads to the following target topology

The IP’s used in this guide, will be denoted in the following table. They can be differently in your target environment.

ctrlX PLC Engineering PC 192.168.127.50/24NAT - 102 WAN IP (port 2)192.168.127.20/24NAT - 102 Secondary WAN IP (port2)192.168.127.1/32NAT - 102 LAN IP (port1)192.168.1.20/24ctrlX CORE192.168.1.1

The NAT-102 secondary WAN IP will be the NAT 1:1 IP, used to access ctrlX Core from ctrlX PLC Engineering device.

NOTE: Neither the ctrlX PLC Engineering device nor the ctrlX CORE would need to have a Gateway configured with using the “Double NAT” feature from NAT-102.

Configuration Steps

Step 1: Web Connection

Connect to NAT Web GUI with https://192.168.127.254/ .

You may see the security warning as below, which is which is caused by the SSL certificate from NAT-102 not known to the configuration PC.

Click the button "Advanced" and then "Proceed to 192.168.127.254 (unsafe)" to get to the login screen of NAT-102.

Step 2: Login

Login via default cedentials admin / moxa
After pressing "LOG IN" you will see the NAT-102 menu and "Device Summary" as well as the most recent "System Message" which you should close to get access to the menu items.

Step 3: Configure VLAN Settings

After successful login the first step is to configure two VLAN.
One VLAN will be used for defining the LAN and the other VLAN will be for defining the WAN interface.
We will use VLAN 1 for LAN and VLAN 2 for WAN.
As VLAN 1 already exist, we only need to add VLAN ID 2 to the configuration.

Therefore, go to “Network Configuration -> Layer 2 Switching -> VLAN” and after click on the VLAN menu item, you select the “Settings” Tab.

To add another VLAN, click on the "+" symbol to create a new VLAN and use VLAN ID 2.

After creation you’ll find the new VLAN ID available, but not assigned to any port yet.

To assign the VLAN ID 2 to our port 2, click on the pen symbol for port 2.

In the port 2 Settings change PVID to 2 and click the "APPLY" button.

You will see that afterward port 1 is member of VLAN 1 and port 2 is member of VLAN 2.

Step 4: Configure WAN port

Go to "Network Configuration -> Layer 3 Interface" and select the "WAN" tab.

The settings to be done are as follows:
VLAN ID: 2
Connection Type: Change to "Static IP" which will show the fields to enter Address information.

IP Address: 192.168.127.20
Netmask: 24 (255.255.255.0)

Scroll down in the window to apply the changes.
Please note that the tab "Secondary IP" will not show any information yet.

After creating the 1:1 NAT rule this will automatically be filled and there is no additional configuration to be done at this tab.

Step 5: Configure NAT Rule

Go to "Routing & NAT -> NAT Settings" page.

To add an NAT rule, "+" symbol which provides the mask to define the rule.

The settings to be done are as follows:

Descriptionprovide a meaningful name as for example ctrlX-COREDouble NAT Enable (As both devices (ctrlX Core and ctrlX PLC Engineering station will not have a Gateway, enabling Double NAT is important to allow successful communication)).Incoming InterfaceWANDestination IP192.168.1.1Translated Packe (Action) (You may need to scroll down a bit to get entry field for this item).192.168.1.1

Click "APPLY" to create your NAT 1-to-1 rule.

Click "APPLY" again to configure NAT-102 using the NAT-102 rule.

NOTE: The next part is not necessary and for your information only:
If you want to check the Secondary IP setting you can go back to “Network Configuration -> Layer 3 Interface” and select the “Secondary IP” tab. It will show the destination IP used in created NAT rule as secondary WAN IP.

Step 6: Configure LAN port

The reason we configure LAN port IP as last step, is that afterwards the subnet changes and we would not be able to configure the NAT-102 with the 192.168.127.254 IP on port 1.
It saves the step to change the port or change the IP of your configuration PC accordingly.
Go to "Network Configuration -> Layer 3 Interface and the "LAN" tab should be already selected.

Click on the pen symbol for LAN to edit the settings.
Change the IP for "IP Address" filed to 192.168.1.20 and click "APPLY".

After click “APPLY” you will see that the web interface cannot refresh.
This is as we’ve changed the IP to a different subnet than our Configuration PC and communication is no longer possible.

Step 7: Test the target topology

Connect the network as in the target topology.

ctrlX PLC Engineering PC 192.168.127.50/24NAT-102 WAN IP (port 2)192.168.127.20/24NAT-102 Secondary WAN IP (port2)192.168.127.1/32NAT-102 LAN IP (port 1)192.168.1.20/24ctrlX CORE192.168.1.1

Try to access NAT-102 WAN IP https://192.168.127.20

Access to the WAN IP will not be possible.
This is due to the Trusted Access Feature enabled by default in NAT-102.
In case you want to have also access to NAT-102 web interface via the WAN port, you can either disable the feature, or add the respective IP of the ctrlX PLC Engineering PC or other.

Default Setting:

To allowing access from ctrlX PLC Engineering PC click on the “+” symbol and create a new entry and click on “APPLY”.

Click on Apply again in the main Mask.

Afterwards, you would be able to access NAT-102 via the WAN interface IP

Try to access ctrlX CORE via IP https://192.168.1.1
This cannot work, as ctrlX PLC Engineering is in a different subnet and there is no routing configured.
Try to access ctrlXCore via IP https://192.168.127.1
The NAT-102 will receive the request and translate to the address 192.168.1.1 of the ctrlX CORE
You can successfully connect to ctrlX CORE via IP 192.168.127.1

The Company

Moxa is a leading manufacturer of industrial networking technology. Moxa enables machine builders, plant builders & manufacturing companies to achieve digital transformation through scalable, fast & easy to implement OT networks.