Skype does that routinely: ever wondered how it can setup a point to point connection without port forwarding?
So to agree with PP, NAT is not a firewall...
This does not negate the fact that NAT(PAT) provides protection against directly connecting to a device.
A query is easily triggered by sending an email with a an external picture embedded or something like that.
Nothing NAT/PAT can protect you against.
The whole point-to-point connection between 2 NATed PCs isn't so much about security either. If an attacker wants to connect to your PC behind a NAT, all the attacker needs is to be routable.
All NAT does is rewrite the Source Address and/or Destination Address fields in the IP header, and possibly the Source/Destination Port fields in the UDP or TCP header. There are many rewriting methods, including some that are designed to route packets from the public network ("port forwarding", etc).
As I figured it, if pc Bob is behind a NAT, there is not a public IP address that will route to Bob. The NAT box (lets call it a router) does have a public IP address. However, when a packet arrives at the router, and the destination port isn't mapped (by mapped I don't just mean manual port forwarding but also the actual NAT process) to some port on Bob, the packet will never reach Bob.
In order to figure out a destination port that will even reach Bob at all, you either need to somehow get a recognized request from Bob, and look at the 'return address'. If you already have some control over Bob (or another PC in the NAT) that seems feasible, otherwise it takes a rather large dragnet. My point being, unless you have info on the state of the router, anything behind it is effectively unroutable.
I'd be very interested to hear where I am wrong, it's been a while since I covered this material.
