Hide NAT allows Security Administrators to conceal multiple private IP addresses behind a single public IP address. Most networks have multiple private IP addresses that cannot send traffic directly to other hosts on the Internet, because they do not have publicly routable IP addresses. Using Hide Network Address Translation (NAT), ALL hosts with private IP addresses share a single public IP address when their traffic is routed on the Internet.
There are two kinds of Hide IP addresses: either a virtual address, or the IP address of the Security Gateway interface leading to the Internet. The "virtual" address is an address separate from the Security Gateway configuration, and must be routable on the Internet. When Administrators use the leading interface of the Security Gateway as the Hide NAT address, no additional IP address is necessary. The Security Gateway interface hides all internal hosts and traffic from the hosts appearing to emanate from the Gateway.
Hide NAT Example:
Two hosts with private IP addresses, 10.1.1.1 and 10.1.1.2, are accessing Web sites on the Internet. As each HTTP request exits the Security Gateway, both show a source address of the Security Gateway: 172.21.101.1.
Although the traffic seems to emanate from the same source, the HTTP requests are processed by the Security Gateway on different ports.
Security Gateway remembers the ports associated with the requests. When the reply is returned from the Web site on the Internet, the Security Gateway can translate the reply packets to the private IP addresses, based on the port associated with the reply.
Internal Host request to an External Host:
Source Port Destination >>> Security Gateway >>> Source Port Destination
10.1.1.1 15,252 x.x.x.x > NAT > 172.21.101.1 17,290 x.x.x.x
Source Destination Port <<< Security Gateway <<< Source Destination Port
x.x.x.x 10.1.1.1 15,252 < NAT < x.x.x.x 172.21.101.1 17,290
When Security Gateway performs Hide NAT, it dynamically assigns all port numbers from one of two pools:
- 600 to 1023
- 10,000 to 60,000
Security Gateway keeps track of the port number changes, and uses the port numbers to determine how to translate the reply packets sent to the Hide NAT address. Although port numbers are constantly being assigned to exiting packets, no source port number can be used by more than one connection at a time. The limit to the number of simultaneous Hide NAT connections is 50,000 internal requests to the same external server.
Clarification: The limit of 50000 ports is per Hide NAT IP, destination, and IP protocol. So it is definitely possible to open more than 50K simultaneous NATed connections.
In other words, the same port can be used again, if the connection is to a different destination, or using a different Hide NAT IP address, or is a different IP protocol (e.g. TCP and UDP).
A single hide behind single Hide IP will be enough, unless you have more than 50K simultaneous connections to the same destination. In that case, you will need to hide behind a range of hide addresses.