There is a general misconception between NAT (Network address translation) and PAT (Port Address Translation), which is what we mostly use in our home routers.
NAT
Let's assume we have a network with the following topology:
Private_Network <-------> Router <-------> The_Internet
The interface of the Router that is connected to the Private_Network has a private IP address, i.e. one that is not unique in The_Internet. On the other hand, in the case of NAT, Router has multiple interfaces connected to The_Internet. Each interface has a unique IP address in The_Internet. Now let's assume that Host_A and Host_B are in the Private_Network and they both want to access Website_X in The_Internet at the same time. The IPs and the ports of Host_A's packet will be:
Source IP: Host_A's private IP
Source Port: A port on Host_A
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to
and in the same way for a packet coming from Host_B.
If the Source IP is left unchanged, then Website_X will reply to an IP address that is private, i.e. not unique, and therefore the packet will never be able to find it's way back. In order to solve that problem, the Router checks whether one of his unique IP addresses connected to The_Internet is not used. If that is the case, it does the following mapping:
Host_A's private IP ======= Router's_unique_IP_K
and now the packet that started from Host_A going to Website_X and is now leaving the interface of the Router connected to The_Internet will have the form:
Source IP: Router's_unique_IP_K
Source Port: A port on Host_A
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to
Thus you can understand that there is an one-to-one association from private IPs to public IPs. Therefore when a packet arrives from Website_X to the Router, this association is checked and the destination IP address is changed back to the private one and delivered successfully to the right host.
As you can see, this method is quite simple, but it has one big disadvantage: each private host has to have a unique IP address reserved, which is expensive, thus we select to have fewer unique IP addresses than hosts in the private network. Therefore if all the private hosts attempt to access The_Internet at the same time, only a subset of them, equal to the number of the available public IP addresses that the Router has, will have access and the rest will be denied.
In order to counter that we created PAT.
PAT
PAT is what the vast majority of our home routers is using. The basic limitation is that the Router has a single unique IP address with which it connects to The_Internet, but we still want to allow multiple hosts from the private network to access The_Internet at the same time.
The way we do that is "similar" to the way NAT does it with a key difference: instead of the Router holding a pool of IP address, it holds a pool of port numbers. More precisely, a packet arriving at the Router from Host_A in the Private_Network destined to Website_X in The_Internet will have the following format:
Source IP: Host_A's private IP
Source Port: A port on Host_A
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to
Now the Router will do two tasks:
- It will change the Source IP to the Router's unique public IP AND
- It will change the Source Port to a port from a pool that the Router is maintaining and is not already used, e.g. Port_Z
and now the packet that started from Host_A going to Website_X and is now leaving the interface of the Router connected to The_Internet will have the form:
Source IP: Router's_unique_IP_K
Source Port: Port_Z
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to
and the Router will keep the following mapping:
Host_A's private IP AND a port on Host_A ======= Port_Z
Why does this work?
Now when a packet comes back, the Router simply checks the destination port number and changes the destination IP address and the destination port number according to the pre-mentioned mapping and the packet gets delivered successfully.
What if I run multiple applications on the same Host?
Different applications will have different ports, by definition, thus they will mapped to a different port from the Router.
What if multiple Hosts attempt to access The_Internet at the same time and they all use the same application?
Different Hosts will have different private IP addresses, by definition, thus they will mapped to a different port from the Router.
PAT is dangerously balancing in a grey space of cross-layer. Port numbers are part of the Transport Protocol while Routers are allowed to operate up to the Internet Protocol. So technically speaking is something that is not allowed by the protocols. Therefore there are, at least theoretically, potential dangers: the port pool is limited. Therefore if my private network consists of 1000 Hosts and each one is running port_pool/10 applications, the mapping table at the router will run out of available entries and access to applications will be denied.
This answer greatly exceeded my intended length, but I hope it was helpful.
NAT
If you are using static (one-to-one) NAT, the router will assign the 11.2.10.172 public IP to the first PC ( for example 192.168.1.101 ) trying to reach google.com. In this case, the two PC will not be able to communicate with google.com at once, because the only available public IP is already distributed.
The NAT table in the router:
11.2.10.172 -> 192.168.1.101
PAT
In your case PAT ( NAT overloading ) is the solution.
With PAT, multiple addresses can be mapped to one private IP. When a device initiates a TCP/IP session, it generates a TCP or UDP source port number to uniquely identify the session. When the router receives this packet it uses that source port number to uniquely identify the translation.
Example
PC1 (192.168.1.101) makes an HTTP request to google.com (64.233.161.1) with a random source port number (1444). PC1 will send a packet with DA: 64.233.161.1:80 | SA: 192.168.1.101:1444. When the router receives this packet it inserts 11.2.10.172:1444 -> 192.168.1.101:1444 to the NAT table then changes the L3 addressing of the packet to DA: 64.233.161.1:80 | SA: 11.2.10.172:1444 and forwards it to google.com.
Google responds with DA: 11.2.10.172:1444 | SA: 64.233.161.1:80. The router receives this packet and translates it to DA: 192.168.1.101:1444 | SA: 64.233.161.1:80 then forwards it to PC1.
If PC2 (192.168.1.102) sends a packet with the same source port number as PC1 did , the router simply increases the port number by 1. In that case the NAT table would look like this
11.2.10.172:1444 -> 192.168.1.101:1444
11.2.10.172:1445 -> 192.168.1.102:1444
I hope it helps a bit.
UPDATE
As @CraigConstantine noticed, 10.2.10.172 is still in the private address space so I have changed it to 11.2.10.172.
Best Answer
NAT (Network Address Translation) is a method created to extend the life of IPv4. Without it, we would have completely run out of IPv4 addresses many years ago, instead of more recently, as has happened. Unfortunately, NAT breaks the IP model of end-to-end connectivity, where each device has a unique IP address.
NAT, at it core, simply translates either or both the source and destination addresses on IP packets to be different addresses. There are multiple variations of NAT. The common version used to allow devices on a network with private addresses use a single public address is call NAPT (Network Address Port Translation).
NAT can be used on different device types, but it is most convenient to to run a NAT process on a firewall or router that connects a private network to the public Internet. It is not a firewall or router requirement to run NAT, but that is usually the logical place to run it.
NAPT looks at the source layer-3 and layer-4 addresses of packets passing from inside to outside, then it creates or updates an entry in a NAT table and replaces the source layer-3 and layer-4 addresses with different addresses before forwarding the packets.
When a packet comes in from the outside with the layer-3 destination address of the NAT device, NAPT looks at the destination layer-3 and layer-4 addresses, and it looks up in the NAT table to determine which layer-3 and layer-4 address to use to replace the destination addresses, then it replaces those addresses and forwards the packets to the inside. NAT drops any packets for which there are NAT table entries.
NAT table entries will time out, or, in some cases with TCP, will be purged when the connection ends.
It important to NAPT to inspect both the source and destination addresses to create NAT table entries for a particular conversation. That helps to prevent outside hosts that are not part of the conversation from sending unwanted packets to the inside host.
Both the source and destination addresses on the packets must match the NAT table entries before packets are allowed from outside to inside. That means that only inside hosts can initiate a conversation because there is no NAT table entry in place for an outside host to initiate a conversation. This brings up the concept of port forwarding, which essentially create a permanent NAT table entry in order to allow outside hosts to initiate a conversation with an inside host.
For more information about NAT, you can look at RFC 3022, Traditional IP Network Address Translator (Traditional NAT).