Masquerade NAT is used to allow your private network to hide behind, as well as be represented by, the address bound to the public interface.
In many situations, the address bound to the public interface is the address that has been assigned by an Internet service provider (ISP), and the address can be dynamic in the case of a Point-to-Point Protocol (PPP) connection. This type of translation can only be used for connections originating within the private network destined for the outside public network. Each outbound connection is maintained by using a different source IP port number.
Masquerade NAT allows workstations with private IP addresses to communicate with hosts on the Internet using the i5/OS® operating system. i5/OS has an IP address assigned by the local ISP as its Internet gateway. The term locally attached machine refers to all systems on an internal network regardless of the method of attachment (local area network or wide area network) and regardless of the distance of the connection. The term external machines refers to systems located on the Internet. The following figure illustrates how masquerade NAT works.
To the Internet, all of your workstations appear to be contained within your system; that is, only one IP address is associated with both your system and your workstations. When a router receives a packet intended for your workstation, it attempts to determine what address on the internal LAN should receive the packet and sends it there.
Each workstation must be set up so that i5/OS is its gateway and also its default destination. The correspondence between a particular communication connection (port) and a workstation is set up when one of your workstations sends a packet to i5/OS to be sent to the Internet. The masquerade NAT function saves the port number so that when it receives responses to your workstation's packet over that connection, it can send the response to the correct workstation.
A record of active port connections and the last access time by either end of the connection is created and maintained by masquerade NAT. These records are periodically purged of all connections that are idle for a predetermined amount of time based on the assumption that an idle link is no longer in use.
All communication between your workstation and the Internet must be initiated by locally attached machines. This is an effective security firewall; the Internet knows nothing of the existence of your workstations, and it cannot broadcast those addresses to the Internet.
A key to masquerade NAT implementation is the use of logical ports, issued by masquerade NAT to distinguish between the various communication streams. TCP contains a source and a destination port number. To these designations, NAT adds a logical port number.