Dynamic source translation

Dynamic source translation allows translating many original IP addresses to a much smaller pool of translated addresses, even a single IP address.

Dynamic source translation, sometimes referred to as hide NAT, is often used to mask the internal networks of a company behind one or a few public, routable IP addresses provided by an ISP.

This illustration shows the process for dynamic source translation. Because dynamic source translation involves multiple hosts using the same IP address (in a many-to-one or many-to-some relationship), the firewall needs more information to differentiate the connections when the reply packets arrive. For this, the firewall uses the source port.

Figure: Dynamic source translation

Hosts make connections.
Each host is assigned a unique port from one of the unreserved high ports to track its connections.
The reply packet is sent to the same unique port.
The destination is translated to the original source address and port