udppunch_20070601.jpg
When two machines running Skype need to communicate directly, but are both behind a NAT firewall, there’s a clever trick that’s employed to start a communication channel. It works like this:

First, both machines open a connection to a non-firewalled server. The server takes note of the source port (which may have been altered by the firewall) and sends this information to the other party to give it an idea of what port future connections might be coming from.

Client A then attempts to connect to a range of ports on client B’s machine. All these requests will fail at client B’s firewall, of course. However, in the process a side effect has occurred. Client A has told its own firewall to allow traffic from all of client B’s scanned ports! Now, when client B attempts to connect to client A, assuming its outgoing port was previously scanned (which it likely will be), the request will get through to client A’s machine.

If all else fails, both machines can use a central server to proxy their connection, but the UDP hole punching trick will typically allow two NAT firewalled machines to communicate directly, which means less latency and a significantly lighter load on the server.

Resources:
How Skype & Co. get round firewalls – Link
RFC3489 STUN – Simple Traversal of UDP through NAT – Link