Most data transfers across a firewall are completely transparent to end users. Web sites that ship traffic across default ports have little or no issue in firewall traversal because the standard conduits for most web traffic are already open to allow the normal transfer of data. When a computer behind a firewall needs to make a connection outside its own network, it attempts to open a connection on the port that the application making the request depends on. If the port is allowed to be opened by policy, then the connection is made and two-way communication is possible. Some applications make use of ports that are not standard, and any requests that they make will be flatly denied when a request is made. Trickier still is the challenge of firewall traversal by VPN software. The effects of network address translation, or NAT, on firewall traversal can be rather inconvenient for computer users and administrators alike.
A NAT shares a single worldly IP address across a whole network. This technology is used in the smallest home networks and the largest corporate. It is a requirement necessitated by a limited availability of addresses in the IP version four protocol. This technology which enables internet connection sharing also makes firewall traversal a challenge for some VPN clients that depend on the target computers to have a unique address. In a NAT situation, there is one address shared among hundreds of computers. In order for firewall traversal to take place, an individual, unique IP address can be statically mapped to a fully qualified domain name of a computer inside the network, this making it appear that the computer has an externally-valid IP address and thus allowing firewall traversal of the VPN connection. This is not the only method of firewall traversal, but it is a common way to resolve connectivity issues surround VPN use across a firewall.