Hi !
I hope that this info also answers some of your other questions
you need to differentiate between packet based NAT (what a router is typically doing) and flow-base NAT (what a firewall does)
In packet based NAT typically the router looks only at the field he needs to translate and thus they need to be unique and therefore without PAT only a single translation is possible.
In flow based NAT the firewall looks at a bunch of flow information (incoming Interface, SA,DA,protocol,SP,DP) and as long as at least one of them is different he can differentiate the flow.
so for example 2 sessions from 2 host with the same SA and packet to the same destination and port will suceed when at least the Sourceport (SP) is different.
In the unlikely case of also the same sourceport, one session will not conclude and a reopening will use the next sourceport-number and then suceed
That means that you can have many,many translations without needing PAT when using a firewall
regards
alexander
#flow-basedNAT#packetbasedNAT