You would have to block everything outbound, or have a product in the mix that can inspect packets very deeply. Although there is a standard port number for nat transversal, I don't think there is any reason why someone couldn't cook up a solution that runs it on a non standard port. Also, there are lots of proprietary solutions out there, that do thinks differently