Well, you were actually pretty close as regards 'why' this is an issue, although active ftp is closer to what you were describing. The effect of NAT on this type of comms is pretty much the same. You can rewrite the packets if your firewall lets you use inspect script like FW1 or similar. It then only becomes a real pain if your packets are encrypted (IPSec - Akkkkkk!!)