Introduction

Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. In practice this means using the same IP address range in multiple sites and remapping the addresses in Locks so that the sites appear to have different addresses on the Key side.

In essence NAT is most useful when using the same LAN settings in multiple sites except for alternating the NAT IP address.

There are two types of NAT techniques; one-to-one NAT and one-to-many NAT. One-to-one NAT maps one LAN device address to another, each LAN device having their own private address and one-to-many NAT maps all LAN devices to the one and the same IP address. Tosibox Lock supports one-to-one NAT and this is where we focus from now on.

When to use NAT

If your need is to connect to a single OT device at a time typically there is no need to use NAT. This is true even if there are many sites and the same IP address space is in use in multiple sites. You simply configure each site the same way and change the Lock IP address range and other settings on LAN side to match customer network.

However sometimes you might have the need to connect multiple sites at the same time and don’t have the possibility to configure each site individually. You may encounter the same IP addresses in use at each site, in which case you will run into connection issues. Your workstation simply will not know where to connect. This is true for example in cases where you need continuous monitoring at many remote locations. The solution is 1:1 NAT.

Issue example

Typical example of an situation when 1:1 NAT would resolve the issue is when two colliding networks are connected at the same time. In the below network two Locks have overlapping LAN address space; My Lock 150 and My Lock 500. When both are connected the other network will give a warning on the Key Client.

When you click the warning icon a problem description is displayed explaining the situation. You have two options to overcome the situation. Either

• Change the LAN IP address, or
• Turn the 1:1 NAT on.

It is enough to make this configuration on either Lock.

Configuring NAT

To configure NAT open the Lock’s management interface and log in as admin user. Go to Network > LAN to open LAN configuration page. Take NAT into use by selecting the Use translated addresses with remote access (1:1 NAT) checkbox.

If you want you can configure the translated address in the Network address used for accessing LAN remotely field or leave it to Lock to decide. If you configure it the given IP address should be the Locks management interface address. LAN devices will get translated addresses starting from the given address in the range configured in the field IPv4 netmask.

Click Save to take the settings in use. Note that after saving the settings Lock will reconfigure your workstation and disconnect remote access.

Lock in Lock mode

NAT can be configured on Lock Network > LAN settings

For example, if you have defined

• Lock LAN IP as 10.15.6.1 with netmask of 255.255.255.0, and
• Device on that network is 10.15.6.2

Then you enable NAT and either let the Lock designate the NAT IP network address or manually define one, e.g. 10.1.1.0.

From Key side, you can then access the Lock user interface with the NAT IP 10.1.1.1 and the device with IP 10.1.1.2

Continue setting up the same LAN IP and netmask to other Locks, enabling NAT and taking care the NAT IP is from different network for all Locks. You will end up having a setup similar to the example network above where

• all your Locks have the same LAN IP settings
• all devices have the same IP address defined
• Devices on Lock LAN communicate using this IP address range locally
• From Key side you can be connected to all sites simultaneously and communicate to remote locations using NAT addresses

Lock in Client mode

NAT can be configured on Lock menu Network > LAN

• no physical WAN connection
• only physical LAN connection
• DHCP on LAN wont work in client mode (only static address mode)
• assign static IP address + subnet
• assign gateway IP address (important)
• assign DNS server
• configure 1:1 NAT

Key Client example

Before turning NAT on Lock is reachable at IP address 172.23.58.52 when remote connection is up, and the one LAN device at 192.168.1.18. Connecting both Locks would result in the error described earlier.

After NAT is configured Lock is still reachable on the same IP address 172.23.58.52 as before but the one LAN device is now at 10.10.10.18. Both Locks can be connected at the same time without issues.

Note that 192.168.1.18 is still the IP address configured on the LAN device itself but this is not visible to the Key Client workstation anymore as NAT translates the address to 10.10.10.18.