These techniques are typically required for client-to-client networking applications, especially peer-to-peer and Voice-over-IP (VoIP) deployments. Many techniques exist, but no technique works in every situation since NAT behavior is not standardized. Many techniques require assistance from a computer server at a publicly-routable IP address. Some methods use the server only when establishing the connection (such as STUN), while others are based on relaying all the data through it (such as TURN), which adds bandwidth costs and increases latency, detrimental to real-time VoIP applications.
Almost by definition, NAT techniques break end-to-end transparency. Intercepting and modifying traffic can only be performed transparently in the absence of secure encryption and authentication. Most NAT behavior-based techniques bypass enterprise security policies. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. From this point of view, the most promising IETF standards are Realm-Specific IP (RSIP) and Middlebox Communications (MIDCOM).
SOCKS, the oldest NAT traversal protocol, is still widely available. In home/SOHO settings, Universal Plug and Play (UPnP) is supported by most small NAT gateways. NAT-T is commonly used by IPsec VPN clients in order to have ESP packets traverse NAT.
In order for IPsec to work through a NAT, the following need to be allowed on the firewall:
or, in case of NAT-T:
Often this is accomplished on home routers by enabling "IPsec Passthrough".
The default behavior of Windows XP SP2 was changed to no longer have NAT-T enabled by default, because of a rare and controversial security issue . This prevents most home users from using IPsec without making adjustments to their settings. To enable NAT-T for systems behind NATs to communicate with other systems behind NATs, the following registry key needs to be added and set to a value of 2: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPsecAssumeUDPEncapsulationContextOnSendRule
IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.
One usage of NAT-T and IPsec is to enable opportunistic encryption between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand.