Mastering NAT Types and Network Hole Punching: A Practical Guide

NAT Classification

Basic NAT (static or dynamic) only translates private IP addresses to public ones without changing TCP/UDP ports. NAPT (Network Address Port Translation) modifies both IP addresses and ports.

Cone NAT Types

Full Cone NAT : Once a mapping is created, any external host can send packets to the public address and port.

Restricted Cone NAT : Only hosts that the internal client has previously contacted can send packets back.

Port‑restricted Cone NAT : Like restricted cone, but the external host must also use the same port number.

Symmetric NAT

Assigns a different public port for each destination address, resulting in one request per port. It offers the highest security level.

Security ranking: Symmetric > Port‑restricted Cone > Restricted Cone > Full Cone.

Network Hole Punching

Requirements: a middle server that stores client information and can issue UDP tunnel commands. Both peers must be behind Cone NATs; Symmetric NATs are unsuitable.

Hole‑Punching Scenarios

Same NAT device : Clients A and B establish UDP connections to a server, receive public ports, exchange addresses via the server, and attempt direct UDP communication, which succeeds if the NAT supports hairpin translation.

Different NAT devices : Each client obtains a public address from its NAT, registers its private address with the server, and the server relays the peer’s addresses. Clients then send initial packets to open holes; subsequent packets can traverse the NATs.

Multiple NAT layers : When an ISP‑provided NAT (NAT C) sits above the local NATs, hairpin translation must be supported by NAT C for successful P2P communication.

Combination of NAT Types

Hole punching success depends on the NAT combination; two symmetric NATs cannot be punched through, while other combinations may succeed.

Related Technologies

ALG (Application Layer Gateway) : Performs address translation for application‑layer protocols that embed IP information.

UPnP : Allows devices to discover and open ports automatically, though often disabled for security.

STUN (Simple Traversal of UDP Through NAT) : Determines the public address and NAT type of a client.

TURN (Traversal Using Relays around NAT) : Relays all traffic through a server, avoiding NAT issues at the cost of higher latency and server load.

ICE (Interactive Connectivity Establishment) : Combines the above techniques to find the best path, adding complexity.

Other Considerations

Common scenarios using symmetric NAT include ISP‑provided broadband, mobile 3G/4G devices, and large corporate routers. Factors affecting hole punching include predictable port allocation by symmetric NATs and the possibility of a client receiving multiple public addresses, which can cause mismatched ports and failed connections.