Re: NAT isn't your first line of defense, the stateful firewall is.
No, it doesn't. All it does to incoming packets is rewrite their dest address header, and only if they match a connection that's being NATed (or a static port forwarding rule); it doesn't decide whether or not to drop incoming packets.