The possible issue is is that once NAT changes the IP address and possibly the port number, state tracking can no longer be applied. AKA, the packet headers before the NAT is different than the packet headers after. This is why NAT needs to track the state instead of ipfw.