NAT only matters in so far as you don't technically need a firewall to block incoming traffic since if it fails a NAT lookup you know to drop the traffic.

But from a security standpoint you can just do the same tracking for the same result. That is just technically a firewall at that point.