NAT Routers Part 1: Client Firewalls
Segment 6: The magic within your router
When that outgoing packet arrives inside the NAT router, it is of course encapsulated within the Ethernet frame that got it there. At that point, the Ethernet frame is no longer needed, and it is discarded, allowing the NAT router to examine the IP packet inside.
The destination IP address reveals that this packet is headed for some other computer out on the worldwide Internet, and the NAT router concludes that it need not change that destination IP address. However, the source and destination IP addresses are both preserved for future use within the router, and then the IP packet is discarded, revealing the TCP data inside.
Examining the TCP data from this PC allows the NAT router to learn about process 2020 inside the PC, which is sending this message.
The NAT router then begins a new process of its own, pretending to be process 2020, as if it were still running inside the PC. For this discussion, we'll assume that the NAT router assigns process ID number 3000 to this new process.
The NAT router then slightly modifies the TCP data to reflect this new process number for its purpose later on, and then re-encapsulates that TCP data inside a new IP packet, translating the IP addresses as necessary to preserve the privacy of the PC's local IP address by replacing it with its own IP address (originally assigned by the ISP: 220.127.116.11 in this case). The destination IP address is not changed.
The resulting, slightly modified IP packet is then encapsulated inside a new Ethernet frame (addressed to the DSL or cable modem), and sent on its way.