Network Address Translation (NAT) traversal is a challenge in computer networking that has become a ubiquitous factor that must be taken into consideration when creating new protocols, technologies and services. In current networks, NAT is deployed as a means of security, address-space and network topology abstraction in addition to the originally intended purpose of extending diminishing IPv4 address space.
Because of the variety in application of NAT as a technology, differing requirements has caused great divergence in how a NAT-function is implemented on a given network device. Some implementations first and foremost consider security, while others consider scalability as the primary objective, and there are several flavors in between. Considering these factors when trying to enable an application that must operate transparently whether or not a NAT-device is present in the network transport path or not is required, but extends to a larger challenge when multiple different types of NAT implementations must be considered concurrently and in combination. While such deployments are common in current networks there are certain applications that experience great difficulty, or that may not even function, in such an environment. The dilemma then arises whether or not to sacrifice the overall level of attainable security for the sake of functionality or to avoid deploying certain applications altogether, much to the dismay of security officers in the former case and users in the latter.
The common types of NAT-implementations are the following:                Endpoint Independent (aka Full Cone), establishes a translation entry between the inside private address and the outside public address and allows any incoming connection from the outside to be established with to the private address        Address Dependent (aka Restricted Cone), establishes a translation entry between the inside private address and the outside public address and only allows incoming connections from the outside originating from the address the original flow was using as the destination address.        Address and Port Dependent (aka Port-Restricted Cone), establishes a translation entry between the inside private address and the outside public address and only allows incoming connections from the outside originating from the address and upper layer protocol port the original flow was using as the destination address and port.        Symmetric, establishes a translation entry between the inside private address and the outside public address where the outside upper layer protocol port is uniquely assigned to every Source Address/Port and Destination Address/Port flow that creates the translation entry in the NAT. Any incoming connection not exactly matching the outside Source Address/Port and Destination Address/Port is disallowed.        
Depending on the specific type of NAT that a given node may be sitting behind or employing locally, incoming connections are treated differently as is evident by the definition of the different types of NAT discussed above. This can create connectivity issues since different protocols deal with NAT-traversal in different ways and may not be able to traverse certain types of NAT without an adaptation of behavior or using a third party node to merge the different legs of a given session-layer connection. In many current implementations, protocols have been adapted to support NAT-traversal and then assume that the NAT will behave in a certain way. If the conditions related to session establishment in such a context are not met then a node may be trying indefinitely, resulting in a poor user experience.
It is also true that depending on which type of NAT that is being deployed there will be different implications on network security. For example, if a certain location is deploying a Symmetric NAT where the characteristics of each individual session (Inside Address and Port together with Outside Address and Port) is being determined by the NAT at the time of the session-establishment by the inside party of a given session, then it is much harder for an intruder to make use of such a translation entry for gaining access to the inside network. This, compared to a NAT employing an Endpoint Independent architecture where any outside entity can gain access to the inside network simply by guessing which ports may be opened from the inside as long as the outside address of the NAT is known, makes for two completely different challenges in terms of staging an attack on a network.