$Id: why-nat-is-not-enough.html,v 1.1 2007/07/16 04:42:52 itojun Exp $NAT uses private IPv4 addresses. They are like telephone number extensions within corporate telephone system. Outsiders can only dial a number which reaches receptionist, but in fact there are thousands of telephone within the company. From inside it is possible to dial out from one of coporate phones to the outside, or within the company.
However, with this environment, you just cannot dial directly from within a company to someone in the other company, or vice versa. You have to get connected through the receptionist.
If the receptionist is like Monnypenny, it would be fine, but technology-wise it is a big problem.
Imagine you have got a new harddisk-based VCR (which is increasingly becoming popular in Japan), or TiVo device in your home. Your house implements a NAT device and use private IPv4 addresses. Also your office implements a NAT device and use private IPv4 addresses. In this case, you cannot make/change recording reservation on the VCR device from your office, since the NAT router in your home blocks it.
If you configure something called "port forwarding" on the NAT box, you can workaround the VCR problem, but why do you have to add more complexity (port forwarding) on top of complex evil device (NAT)?
Recent NAT boxes implement UPnP (Universal Plug-n-Play) but it acutally is "automated port forwarding". With UPnP, devices like harddisk-based VCR can "punch the hole" onto NAT device at ease. UPnP can easily be abused if your VCR gets infected by clever worms and viruses!