Cone NAT

The cone NAT feature defines additional methods by which external hosts can communicate with an internal private network client using the external public network address mapped in a NAT binding. These additional cone NAT methods are required by products such as Microsoft Xbox LIVE.

When configuring a cone NAT, an access list permitting one or more protocols and ports is assigned to the cone NAT configuration. In order for the cone NAT binding to be created, the packet sent by the internal client must pass the protocol and port criteria listed in the cone NAT access list. Once passed, the listed protocol and port criteria become part of the binding. If the packet initially sent by the internal client does not pass the cone NAT access list protocol and port criteria, a non-cone NAT binding is created.

There are two packet flow directions for any cone NAT binding. Forward is from the perspective of the internal Client to the external host. Reverse is from the perspective of the external host to the internal client. For each cone NAT method the forward direction has the same behavior as a basic NAT binding, with the exception that the packet must pass the cone NAT access list protocol and port criteria. Once an internal IP address and port is mapped to an external IP address and port, any packets from the internal address matching the cone NAT access list criteria will be sent through the external address as it is forwarded to the external host.

There are three cone NAT methods and they are defined by their reverse packet flow behavior.