[GENERAL QUESTION] how to penetrate symmetric NATs

[revintec]

Hi, I have two questions

1. is pwnat applicable for symmetric NAT? how about two symmetric NATs?
2. can ICMP Time Exceeded message payload be used to transport data?

I encountered a enterprise NAT, which does the following:

1. host A, inside the NAT, binds a UDP socket to a local address, say 10.0.0.1:8888
2. A sends a packet to another public host B 101.0.0.1:9000, B sees A as 110.0.0.1:8888
3. A sends a packet to host B 101.0.0.1:9001 using the same socket, B now sees A as 110.0.0.2:8888
4. host C is behind another NAT. host A and C both drop packets from unknown origin

I would like to build a tunnel between A and C, traditional p2p hole punching method won't work, because when A tries to connect C, it's using a different public address than B sees. I don't think the original pwnat is designed to solve these kind of problems, it seems that pwnat focused on removing dependency on host B? https://samy.pl/pwnat/ says that "This will work behind many NATs and firewalls, but not all.", does that intended to mean symmetric NAT is not supported? in this case, the problem lies exactly that C don't know what the public address of A is.

I intercepted some ICMP Time Exceeded messages for ICMP ping requests, the original ping body was included in the Time Exceeded reply. can we modify the reply, use that part to encode some data? will the modified packet be accepted and routed correctly by NATs?

I'm trying to build a prototype that can penetrate symmetric NATs. I'm new to the field, succeeded in getting ICMP Time Exceeded replies by modifying TTL, but still learning about how to read ICMP Time Exceeded replies from OS.