Peer-to-Peer (P2P) communication across middleboxes（术语篇）[10]

还是上面那个例子：如果 client a (10.0.0.1:1234)同时发起两个 "外出" 会话,分别发往s1和s2。对称nat会分配公共地址155.99.25.11:62000给session1，然后分配另一个不同的公共地址155.99.25.11:62001给session2。对称nat能够区别两个不同的会话并进行地址转换，因为在 session1 和 session2中的外部地址是不同的，正是因为这样，client端的应用程序就迷失在这个地址转换边界线了，因为这个应用程序每发出一个会话都会使用一个新的端口，无法保障只使用同一个端口了。

the issue of cone versus symmetric nat behavior applies equally to tcp and udp traffic. cone nat is further classified according to how liberally the nat accepts incoming traffic directed to an already-established (publicip, public port) pair.  this classification generally applies only to udp traffic, since nats and firewalls reject incoming tcp connection attempts unconditionally unless specifically configured to do otherwise.