>Also NAT is a pretty simple abstraction, it's literally a single table.

...And now, let's try punching a hole through this "simple" table. Oops, someone is using a port-restricted or symmetric NAT and hole punching has gotten just a tad more complicated.