TCP behind NAT

It’s assumed that host A B both behind NAT, and UDP hole punching is already working.
There are two more requirements for A to initiate a TCP connection to B.
1. natA has to tolerate B’s sending A a SYN by not replying a RST.
2. natB allows A’s SYN to come in, while natB normally expects A’s SYN/ACT.
Most NAT doesn’t meet these two requirements, which explains TCP hole punching seldom works.