Hello, I'm a newbie to networking and am having a hard time understanding something. Each device on the Internet needs it's own unique IP address. Where I am working, we have several devices behind our firewall (about 400). My understanding from our network guys is that when a user goes out to the internet, NAT kicks in and masks the internal address with a "real" IP address. If we have 400 devices going with the same firewall, wouldn't each device get the same "real" IP address? If so, doesnt that make duplicates on the Internet? Thanks

Essentially that's correct. All devices would show the same "real" IP as far as the outside world goes. That is to say, all devices behind the NAT have separate IP's internally, but as far as the internet is concerned, all the traffic comes from the one external IP address....not multiples of the same IP. Basically what happens is, the device sends it's external request, NAT makes note of the devices LAN IP, sends out the request with the one IP address assigned to your external connection. When the reply comes back in, NAT directs it to the LAN IP the request originall came from.

Thanks Curt.. Just one follow up.. If more than one device though..was accessing the Internet, wouldn't the Internet see multiple devices using the same IP? Or does NAT somehow do something so the INternet would not see the same address used multiple times at the same time?

NAT fixes it so all outbound traffic appears to be from the single IP (device) regardless of how many are actually accessing from behind the NAT.

Thanks again Curt..it's clearer to me now. The only part of it that confuses me a little is how there isnt a problem when all devices appear to the Internet as coming from a single IP. I guess because of the "each device needs it's own IP" rule, it's a little confusing.

I think what you're confused about is how does NAT know which computer to send various traffic back to. For example, if I'm surfing cnn.com, and you're surfing yahoo.com at the same time behind the same nat, how does NAT know to send my traffic to me, and your traffic to you? Normally, IP addressing takes care of that. In this case, NAT monitors connections by source and destination ports. While normal web surfing is always pointed to a destination port of 80 unless specified otherwise, that doesn't change. However, your source port does. Incidentally, this is also how you can surf multiple sites simultaneously on the same machine, and the right traffic goes to the right web browser window. Please help survivors of Hurricane Katrina! www.redcross.org

What happens is imagine an ip as a block of flats, and each ip has 65535 ports (the individual flats) so when traffic goes out from 192.168.0.10 it leaves the pc on say port 44450, the router/firewall then tags that port and ip address, then sends out to the internet on its own ip eg. 212.212.212.212 port 44450, when the far end replies it replies to the firewall/router's ip address specifying that port (44450), the next machine's packet might go out on 23452 say, so the reply is 212.212.212.212:23452, the NAT device then checks its lookup table and says oh yea 44450 goes to 192.168.0.10, and 23452 goes to 192.168.20.3. Its a bit more complex than that but its a fairly good description. Just remember the IP address is a towerblock, and the port number is each flat inside it. (we'll ignore the going up into the application level from here)