NAPT

NAPT translates both IP addresses and ports to enable multiple private addresses to share one or multiple public addresses. NAPT applies to scenarios with a few public addresses but many private users who need to access the Internet. Figure 1 shows its mechanism.

Figure 1 Mechanism of NAPT

FW shows the NAPT process when the host accesses the web server.

1. After the host sends a packet to the FW, the FW finds that the packet needs to travel from the Trust zone to the Untrust zone and that the packet matches a security policy. The FW also finds that the packet matches a specific NAT policy so that NAT address translation must be performed.
2. The FW replaces the original source IP address of the packet with a public IP address selected from the NAT address pool based on source IP address hashing result, replaces the original source port with a new port, and then forwards the packet to the Internet. At the same time, the firewall adds an entry to the session table.
3. The web server sends a response packet destined for the host. The FW receives the response and searches the session table for the entry created in 2. The FW translates the destination address in the packet into the host IP address and the destination port number into the private port number based on the entry. The FW then forwards the packet to the host over the intranet.

As both addresses and ports are translated, multiple private users can share one public address to access the Internet. The FW can distinguish users based on ports, so more users can access the Internet at the same time. Note that NAPT does not generate server-map entries. This is different from NAT No-PAT.