How does a NAT server forward ping ICMP echo reply packets to users?

For ICMP query/reply type messages like Echoes (pings), NAPT uses the ICMP Query ID (sometimes just called the ICMP ID) the same way it would use a TCP or UDP port number.

For ICMP error messages such as Destination Unreachable, it uses the ICMP packet's internal copy of the headers of the frame that caused the error to figure out which mapping in the NAT table to use to translate it.

These procedures are referenced briefly in several NAT-related RFCs, but I had a hard time finding one that explicitly spelled out the procedure. See "Traditional NAT", RFC3022, section 4.1.

This doesn't conflict with any TCP or UDP mapping because in a good NAPT implementation, the protocol is one of the pieces of information held in the NAT table entry to make it unique.

I did a small simulation (based on GSN3 Kali Linux CLI appliance), to check what happens when ICMP clashes (apparently, it could be vendor specific):

On ICMP requests/response Before NAT is shown the situation, when Identifiers of ICMP requests from 2 devices (with IPs 10.0.0.1 and 10.0.0.2 respectfully) become equal.

At the same time on ICMP requests/response After NAT is shown that the Identifier of the clashing ICMP session is changed to 0 by the NAT, and is incremented from there on.

As a summary it can be said that the Linux NAT handles the clashing of ICMP identifiers on its on (As the ICMP identifiers are not changed before the NAT).