A router (running NAT) monitors all outgoing packets and then allows incoming packets that are responses to these outgoing packets.
So, if you make an outbound TCP connection with google.com:80, then it will return the packets back (in response) with google.com:80. If two internal nodes connect to the same port, they can distinguish between them because the local port is different, for example:
1) Host A establishes a connection with Google, and the router uses its own local port 10001 for a TCP connection.
2) Host B makes a similar connection, and the router uses its own local port 10002 for a TCP connection.
If the packet comes from google.com:80 and its address for port 10001 on the WAN IP router, then the router knows to send it to host A. If its router addressed to port 10002 knows to send it to Host B.
If you have two peers behind routers (two NATs), then there is no way to establish a connection, except that if there is something to transmit information about each other's IP addresses (that is, a server that they can use to exchange information), they may try to guess which port the router will choose as the local port, and then start sending data to each other on that port, to WAN IP routers. Since both routers see OUT data, they establish a rule to allow IN data to be entered. If the ports are guessed correctly, packets on each side can go through because both routers have a configured rule. This is called UDP / TCP Hole Punching.
http://en.wikipedia.org/wiki/UDP_hole_punching
I believe Skype is an example of an application that uses UDP and punch holes.
Antonym
source share