I've seen first hand what NAT does to QoS. How can one ever shape an inside host when using PAT? Is it even possible?
What about policing traffic? NBAR can see traffic like bittorrent, but let's say that I want to give one person full access to it, but I want to limit bandwidth that another person uses. Using PAT, I would have to source my traffic from my public IP on the public interface, but that would limit everyone.
Another question would be:
If I have several sites that don't use NAT, but their internet goes through the corporate office which does, I've still lost control of that traffic and I wouldn't be able to shape or police it, right?
The idea is there. You need to modify the ACL to reflect the FTP, P2P, Bittorrent stuff - but I know the intent of the post and great job while doing from memory :)