Even people I have spoken that understand the difference between
firewalling/reachability and NATing are still in favour of NAT. The argument
basically goes "Yes, I understand that have a public address does not
neccessarily mean being publically reachable. But having a private address
means that [inbound] public reachability is simply not possible without
explicit configuration to enable it". i.e. NAT is seen as a extra layer of
security.
I want NAT to die but I think it won't.
Far too many "security" folks are dictating actual implementation details
and that's fundamentally wrong.
A security policy should read "no external access to the network" and it
should be up to the network/firewall folks to determine how best to make
that happen. Unfortunately many security policies go so far as to
explicitly require NAT.
-Don