在微软的 NAT 技术文档"How NAT Works"中可以发现: http://technet2.microsoft.com/WindowsServer/en/library/0f4bad59-5237-4452-a693-708ac61fe1671033.mspx 如果无法打开, 你自己到微软的网站搜索得到链接. If a client on the private network makes a TCP connection to two different computers on the public network from the same source port, the NAT driver will choose different source ports for those mappings. If a client on the private network sends UDP packets to two different computers on the public network from the same source port, the NAT driver will use the same source port for both mappings. 所以必须使用 UDP 穿透. TCP 穿透据说已经实现, 但是太依赖技巧性, 而且不成熟. How NAT determines whether an inbound packet matches an existing dynamic or static mapping. For UDP, however, an inbound packet must match only the protocol, destination address, and destination port of a mapping — the source address and source port of the packet are effectively ignored. This “loose matching behavior” applies only if the private port is greater than 1024. Allowing this behavior for ports below 1024 would introduce a security risk... NAT 对内网同一个 IP:PORT 使用同一条映射, 所以任何机器都可以根据这条映射, 往内网 IP:PORT 对应的 公网 IP:PORT 发送 UDP 数据报(会被 NAT 转发给内网 IP:PORT). 要让其它人能知道这条映射, 内网 IP:PORT 只需要在 NAT 的 UDP idle-time 时间内往固定的外网服务器发送报告, 外网服务器就可以从 UDP 包中提取 公网 IP:PORT. 另外, 一篇 rfc 草案也能帮助你: http://midcom-p2p.sourceforge.net/draft-ford-midcom-p2p-01.txt