Aha!  The overloading concept was the missing piece for me.  What is a standard practice when setting up your overloading tables.  You know link 2 to 1  10 to 1 or whatever.  And I am still not clear on when you would request a block and when you wouldn't.  I think if you request a block of 10.  You would analyze how often your users are using them to set your overload.  If you don't request a block and get a new public IP address from your provider every time, would it even be neccesary to overload?  

  Also, if your users all use the internet every day, setting your lease time to say 1 day would be like having static mapping for the entire day.  Then tomorrow everyone gets a new address and static maps to that one all day?  Is that right.

Thanks

Adam

Also, thanks for taking the time to help Mark

I think I got an idea of what's going on now.  Thank's Mark

One more question Mark.  Is there anything to stop a corp or really anyone from hogging a limited number of IP addresses from the ISP by setting long lease times?  I guess that kind of get's at what got me thinking on this path.  

i think we have our wires crossed in terms of lease , you do not get a lease from the ISP you buy the address from  IANA but then you can have a dhcp lease on your local router or pc that if cleared would also clear your nat translations as its the source ip thats generates the nat , so what your saying above isnt really possible as it cant really happen, once you buy the ip address its yours to use how you please.No one else can use that public ip ever in any way as its globally assigned to you and will be recognized in every ISP as yours.If someone else is using it then the likely you've been hacked somehow.

The mapping in nat in overload looks like this , your local pc wants to break out so it has a private ip of 10.0.0.1 , instead of giving it a mapping of 1-1 to your public ip address that would waste it as its used straight away , you might have 50 pcs that need to break out to the internet, so overload tells the router not only map it 1-1 also give it an individual port number between 1-65535 that way when pc 2 wants to break out instead of just using public ip address as well the router gives him a port number 2 and so on.This allows the router to continuously assign private ip pcs to 1 public ip to break out onto the internet and not wasting the ever running out public ipv4 :) Hope that made sense

example from one of my nat routers you can see it using same public ip on the left but then mapping to multiple private ips using port numbers , some obviuosly known ports such as https 443 an so on

InternetGatewayA#sh ip  nat tra
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                172.21.62.10       62.221.5.231
--- ---                ---                172.21.62.22       62.221.5.238
--- ---                ---                172.21.62.23       62.221.5.235
tcp 195.27.3.29:33852  10.21.0.146:33852  199.16.156.241:443 199.16.156.241:443
tcp 195.27.3.29:47714  10.21.0.146:47714  130.239.18.215:6667 130.239.18.215:666                                                                                                                                                             7
tcp 195.27.3.29:48615  10.21.0.146:48615  74.125.24.189:443  74.125.24.189:443
tcp 195.27.3.29:50184  10.21.0.146:50184  157.56.52.22:40016 157.56.52.22:40016
tcp 195.27.3.29:50815  10.21.0.146:50815  108.160.162.110:443 108.160.162.110:44                                                                                                                                                             3
tcp 195.27.3.29:55591  10.21.0.146:55591  193.50.97.147:22   193.50.97.147:22
tcp 195.27.3.29:57077  10.21.0.146:57077  54.165.88.180:443  54.165.88.180:443
tcp 195.27.3.29:59689  10.21.0.146:59689  216.58.198.78:443  216.58.198.78:443
tcp 195.27.3.29:59741  10.21.0.146:59741  216.58.198.78:443  216.58.198.78:443
tcp 195.27.3.29:60119  10.21.0.146:60119  91.190.216.57:12350 91.190.216.57:1235                                                                                                                                                             0
tcp 195.27.3.29:35561  10.21.0.158:35561  46.7.38.26:1723    46.7.38.26:1723
udp 195.27.3.29:4822   10.21.0.170:4822   8.8.8.8:53         8.8.8.8:53
udp 195.27.3.29:14656  10.21.0.170:14656  8.8.8.8:53         8.8.8.8:53
udp 195.27.3.29:19169  10.21.0.170:19169  8.8.8.8:53         8.8.8.8:53
udp 195.27.3.29:24704  10.21.0.170:24704  8.8.8.8:53         8.8.8.8:53
udp 195.27.3.29:26667  10.21.0.170:26667  8.8.8.8:53         8.8.8.8:53
udp 195.27.3.29:32579  10.21.0.170:32579  8.8.8.8:53         8.8.8.8:53
udp 195.27.3.29:48830  10.21.0.170:48830  8.8.8.8:53         8.8.8.8:53
udp 195.27.3.29:49153  10.21.0.237:49153  8.8.8.8:53         8.8.8.8:53
udp 195.27.3.29:49455  10.21.0.237:49455  8.8.8.8:53         8.8.8.8:53
 --More--

Mark,

I see TCP session to your public address of your gateway router on the left.  195.27.3.29.  With all kinds of different port numbers.  That should be a class C address.  Next on the line I see 10.21.0.X with the same port numbers as above.  Like on the first line 10.21.0.146.  I recognize this as a class A private IP address.  At first I thought it was the internal name of that gateway router, but then I noticed there were a few different addresses in this column.  Next on the line I see (on the fist line for example) 199.16.156.241:443.  I'm assuming that's the end user client inside your network?  It has the 443 ports for HTTPS.  But the address looks like it falls in the class C public address range.  Still a little confused.  I am studying for Net + so I really am a newbie.

So the subnet mask is irrelevant here and most of ours would not be class C as the network is so large , most of our internal subnets would be class B 10.21.0.0 and the public ip block could be anything from /28 /29 etc depending what we bought

Take this line

udp 195.27.3.29:4822   10.21.0.170:4822   8.8.8.8:53         8.8.8.8:53

One iof our internakl devices 10.21.0.170 is using overload , his private ip is being translated to port number 4822(done automatically by nat) with one of our public ips 195.x.x.x and passed on to google dns 8.8.8.8 with port no 53 as it must have been some form of dns request 

This one

tcp 195.27.3.29:33852  10.21.0.146:33852  199.16.156.241:443 199.16.156.241:443

host 10.21.0.146 is trying to reach an external secure web system so hes translated again to our public ip address and then to the public ip hes trying to reach with https 443 , so this allows him to open a public internet web browser