Example:
Here are two possible packets that would be considered different by the FortiGate so that any responses from the web server would make it back to their correct original sender.
From Student A
| Attribute | Original Packet | Packet after NATing |
|
Source IP address or src-ip |
10.1.1.56 |
u.u.u.1 |
|
Destination IP address or dst-ip: |
w.w.w.1 |
w.w.w.1 |
|
Protocol |
tcp |
tcp |
|
Source port or src-port: |
10000 |
46372 |
|
Destination port or dst-port |
80 |
80 |
|
From Student B |
||
| Attribute | Original Packet | Packet after NATing |
|
Source IP address or src-ip |
10.5.1.233 |
u.u.u.1 |
|
Destination IP address or dst-ip: |
w.w.w.1 |
w.w.w.1 |
|
Protocol |
udp |
udp |
|
Source port or src-port: |
26785 |
46372 |
|
Destination port or dst-port |
80 |
80 |
Even though the source port is the same, because the protocol is different they are considered to be from different sessions and different computers.
The drawback is that it would depend on the protocols being used be evenly distributed between TCP and UDP. Even if this was the case the number would only double; reaching an upper limit of 65,536 possible connections. That number is still far short of the possible more than 16 million for an IP subnet with an eight bit subnet mask like the one in our example.
Fortinet does not use this method.