Enable Access ctrlX AUTOMATION using Network Address Translation (NAT)

Community Moderator
Community Moderator

Introduction - A Machine Builder's Situation

IP addressing for all electrical devices with ethernet capabilities are a challenge in the manufacturing ecosystem. Machine Builders have to start with a standard setup of IP addresses. When deploying into the field these IP addresses have mostly be changed when integrating into an OT-network with a lot of already existing devices. Depending on the size of the plant new addressing can take some time and new hurdles might appear when integrating.

To ease this situation Moxa created the NAT-102. Machine Builders can use the function of Network Address Translation to let machine builders use their standard setup of IP addresses for all their machines. Even when deploying more of the same machine type into the same plant or line without causing communication issues due to same IP addresses. The NAT-102 can take care about this with creating an external unique IP address to be reachable. This reduces engineering time and also eases the service effort when machines have to be reached and analyzed in moments of failure.

This How-to shows how to create one of those scenarios when controlling your machine with ctrlX AUTOMATION.

NAT-102 configuration

The goal is to provide means of flexible integration of multiple ctrlX CORE, deployed with same IP configuration to your ctrlX PLC Engineering station using MOXA NAT-102, 2-port industrial Network Address Translation (NAT) devices.

An example topology could be as seen below. Each ctrlX CORE comes with the same IP configuration but should connect to the same network of ctrlX PLC Engineering station.

Demo SetupDemo Setup

Configuration Topology

Configuration TopologyConfiguration Topology

Configuration PC: IP address
NAT - 102 Default IP address

The IP of the configuration PC can be any IP that is not used, within the 192.168.127.x network.
The NAT-102 comes with two ports having default LAN IP address is

  • The internal port (Port 1) will connect to the ctrlX Core in 192.168.1.x network.
  • The external port (Port 2) will be used as WAN port to connect to the upper-level
    network, in our case 192.168.127.x
This leads to the following target topology

Target topologyTarget topology

The IP’s used in this guide, will be denoted in the following table. They can be differently in your target environment.

ctrlX PLC Engineering PC
NAT - 102 WAN IP (port 2)
NAT - 102 Secondary WAN IP (port2)
NAT - 102 LAN IP (port1)
ctrlX CORE

The NAT-102 secondary WAN IP will be the NAT 1:1 IP, used to access ctrlX Core from ctrlX PLC Engineering device.

NOTE: Neither the ctrlX PLC Engineering device nor the ctrlX CORE would need to have a Gateway configured with using the “Double NAT” feature from NAT-102.

Configuration Steps
Step 1: Web Connection

Connect to NAT Web GUI with .

You may see the security warning as below, which is which is caused by the SSL certificate from NAT-102 not known to the configuration PC.

Security warningSecurity warning

Click the button "Advanced" and then "Proceed to (unsafe)" to get to the login screen of NAT-102.

Moxa Login inMoxa Login in

Step 2: Login

Login via default cedentials admin / moxa
After pressing "LOG IN" you will see the NAT-102 menu and "Device Summary" as well as the most recent "System Message" which you should close to get access to the menu items.

Device SummaryDevice Summary

Step 3: Configure VLAN Settings

After successful login the first step is to configure two VLAN.
One VLAN will be used for defining the LAN and the other VLAN will be for defining the WAN interface.
We will use VLAN 1 for LAN and VLAN 2 for WAN.
As VLAN 1 already exist, we only need to add VLAN ID 2 to the configuration.

Therefore, go to “Network Configuration -> Layer 2 Switching -> VLAN” and after click on the VLAN menu item, you select the “Settings” Tab.
VLAN tabVLAN tab

To add another VLAN, click on the "+" symbol to create a new VLAN and use VLAN ID 2.

Create VLANCreate VLAN

After creation you’ll find the new VLAN ID available, but not assigned to any port yet.


To assign the VLAN ID 2 to our port 2, click on the pen symbol for port 2.

VLAN Pen SymbolVLAN Pen Symbol

In the port 2 Settings change PVID to 2 and click the "APPLY" button.

Edit Port 2 SettingsEdit Port 2 Settings

You will see that afterward port 1 is member of VLAN 1 and port 2 is member of VLAN 2.

Assigned VLAN portsAssigned VLAN ports

Step 4: Configure WAN port

Go to "Network Configuration -> Layer 3 Interface" and select the "WAN" tab.

Layer 3 Interfaces WAN tabLayer 3 Interfaces WAN tab

The settings to be done are as follows:
Connection Type: Change to "Static IP" which will show the fields to enter Address information.
Layer 3 Interfaces configurationLayer 3 Interfaces configuration

IP Address:
Netmask: 24 (

Layer 3 Interfaces configurationLayer 3 Interfaces configuration

Scroll down in the window to apply the changes.
Please note that the tab "Secondary IP" will not show any information yet.

Layer 3 interfaces Secondary IP tabLayer 3 interfaces Secondary IP tab

After creating the 1:1 NAT rule this will automatically be filled and there is no additional configuration to be done at this tab.

Step 5: Configure NAT Rule

Go to "Routing & NAT -> NAT Settings" page.

NAT SettingsNAT Settings

To add an NAT rule, "+" symbol which provides the mask to define the rule.

Create Index 1Create Index 1

The settings to be done are as follows:

Description provide a meaningful name as for example ctrlX-CORE
Double NAT  Enable (As both devices (ctrlX Core and ctrlX PLC Engineering station will not have a Gateway, enabling Double NAT is important to allow successful communication)).
Incoming Interface WAN
Destination IP
Translated Packe (Action) (You may need to scroll down a bit to get entry field for this item).

Edit Index 1Edit Index 1

Click "APPLY" to create your NAT 1-to-1 rule.

NAT configurationNAT configuration

Click "APPLY" again to configure NAT-102 using the NAT-102 rule.

NOTE: The next part is not necessary and for your information only:
If you want to check the Secondary IP setting you can go back to “Network Configuration -> Layer 3 Interface” and select the “Secondary IP” tab. It will show the destination IP used in created NAT rule as secondary WAN IP.

Layer 3 Interfaces Secondary IP tabLayer 3 Interfaces Secondary IP tab

Step 6: Configure LAN port

The reason we configure LAN port IP as last step, is that afterwards the subnet changes and we would not be able to configure the NAT-102 with the IP on port 1.
It saves the step to change the port or change the IP of your configuration PC accordingly.
Go to "Network Configuration -> Layer 3 Interface and the "LAN" tab should be already selected.

Layer 3 interfaces LAN tabLayer 3 interfaces LAN tab

Click on the pen symbol for LAN to edit the settings.
Change the IP for "IP Address" filed to and click "APPLY".

Edit LAN Interfaces EntryEdit LAN Interfaces Entry

After click “APPLY” you will see that the web interface cannot refresh.
This is as we’ve changed the IP to a different subnet than our Configuration PC and communication is no longer possible.

Web Interface refreshWeb Interface refresh

Step 7: Test the target topology

Connect the network as in the target topology.

Target TopologyTarget Topology

ctrlX PLC Engineering PC
NAT-102 WAN IP (port 2)
NAT-102 Secondary WAN IP (port2)
NAT-102 LAN IP (port 1)
ctrlX CORE

Try to access NAT-102 WAN IP

Access to the WAN IP will not be possible.
This is due to the Trusted Access Feature enabled by default in NAT-102.
In case you want to have also access to NAT-102 web interface via the WAN port, you can either disable the feature, or add the respective IP of the ctrlX PLC Engineering PC or other.

Default Setting:

Trusted accessTrusted access

To allowing access from ctrlX PLC Engineering PC click on the “+” symbol and create a new entry and click on “APPLY”.

Create Index 1Create Index 1

Click on Apply again in the main Mask.

Trusted accessTrusted access

Afterwards, you would be able to access NAT-102 via the WAN interface IP

Moxa Log In screenMoxa Log In screen

  • Try to access ctrlX CORE via IP
    This cannot work, as ctrlX PLC Engineering is in a different subnet and there is no routing configured.
  • Try to access ctrlXCore via IP 
    The NAT-102 will receive the request and translate to the address of the ctrlX CORE
    You can successfully connect to ctrlX CORE via IP

ctrlX Automation Log InctrlX Automation Log In

The Company 

Moxa is a leading manufacturer of industrial networking technology. Moxa enables machine builders, plant builders & manufacturing companies to achieve digital transformation through scalable, fast & easy to implement OT networks.



Hi, I'm Michael and I work in the Bosch Rexroth ctrlX World team. We build and orchestrate the ctrlX World Business Ecosystem. Contact me if you want to know more about it or if you would like to be part of it!
Must Read