When we do source IP address-based NAT, such as NAPT, Easy IP, Intranet users can share one or multiple public IP addresses. So how many intranet users can share one public IP?
As we know, the firewall session table records the connection status of protocols and plays a key role in forwarding packets. For example, intranet users 10.1.1.1 and 10.1.1.2 are ping 210.1.1.1 servers and NAT is performed on the USG using the public IP address 200.10.10.1. The session table is displayed as follows:
##########
<USG6000> display firewall session table
Current total sessions: 2
Slot: 1 CPU: 1
icmp VPN: public --> public 10.1.1.1:1280[200.10.10.1:10324] --> 210.1.1.1:2048
icmp VPN: public --> public 10.1.1.2:1280[200.10.10.1:6025] --> 210.1.1.1:2048
##########
Because the IP addresses and port numbers of different users on the intranet must be different. The firewall can identify a data flow based on the source address and source port number to establish a forward NAT address. In reverse address restoration, the quintuple information (source address + source port + destination address + destination port + protocol) is used to uniquely identify a data flow.
Then, according to the implementation mechanism of the session table, as long as different users in the intranet access any parameter of the 'destination address + destination port +protocol' triple, even if the same port of the same public network address in the address pool is allocated to multiple users in the intranet at the same time, there will be no conflict.
For example:
source address | source port | NAT address | NAT port | Destination address | Destination port | protocol |
10.1.1.1 | 80 | 210.1.1.1 | 8080 | www.google.com | 8080 | https |
10.1.1.2 | 80 | 210.1.1.1 | 8080 | forum.huawei.com | 8080 | https |
Therefore, as long as one parameter of the 'destination address + destination port + protocol' triple is different. The unique NAT address and port can be reused. which is not restricted by port 65535. At this point, no matter how the ports are allocated, there will be no problem.
In addition, when different intranet users access the same 'destination address + destination port + protocol' triple. The hash algorithm ensures that they will not be allocated to the same NAT address port. the session table is aged in real-time. The allocated port is reused after the session table ages. Therefore, there is a possibility that the port is not limited. Moreover, the session table is aged in real-time, and the assigned port is reused after the session table is aged. Therefore, So ports are almost unrestricted.
In conclusion, theoretically, there is no limit on the number of private IP maps to a single public IP.
