$Id: nat-is-not-secure.html,v 1.2 2007/07/16 04:56:02 itojun Exp $To tell you the truth, NAT gives you a false sense of security.
NAT, Network Address Translator, is a device which rewrites IPv4 private addresses of the end clients which appear on the IPv4 header, into global address the NAT box is controlling (usually the IPv4 address of the NAT box). Because of the distinction of private IPv4 address and global IPv4 address, devices cannot communicate directly, and NAT box allows outgoing (private-to-global) commuication only.
The IPv4 address rewrites are so evil that I put a separate section.
However, if you want the "outsiders cannot contact directly to clients within the enterprise" environment and if you have enough IPv4 addresses to spare, you can just write a packet filter rule which says "no TCP connection request packet - TCP SYN - can go in from outside to inside".
If you do not have enough IPv4 addresses to spare, you'd better to use IPv6 rather than get a troublesome NAT boxes.