Yup, it could, but as I noted to Paul, in the cases Sean is advocating,
the client and the NAT box may not be within the same span of
administration, either. IE: no, you may _not_ trust the NAT op.
And as I noted in my reply, the real opportunities for NAT are when one
side of the NAT trusts the NAT and the other side considers it "just
another public client".