They *will* fight you, and tell you to your face that if you want to take NAT away from them it will be from their cold dead hands.
And it isn't NAT in and of itself that is attractive. Those people aren't talking about static NAT where you are just translating the network prefix. They are talking dynamic port-based PAT so that the translation doesn't exist until the first packet goes in the outbound direction. Like it or not, that DOES provide some barrier of entry to someone outside wishing to initiate a connection from the outside. You cannot predict in advance what outside address/port will be associated with which inside address/port or if any such association even exists and a lot of people have already made up their minds that the breakage that causes for various things is offset by the perceived benefit of that barrier and worth the price of dealing with that breakage.
Ah... You've actually just pointed out that it is _NOT_ the NAT that does that, but, the stateful inspection that happens before the NAT. Stateful inspection can occur and require a matching state table entry to permit inbound packets with or without the header-mangling that we call NAT, NPAT, NAPT, PAT, etc. True, overloaded NAT cannot exist without stateful inspection, but, that's largely irrelevant to security. What is relevant is the need for a good stateful inspection engine with a default-deny-inbound policy. Owen