In case you had not noticed there are now tens of millions of NAT devices in use. End users are not going to pay $10 per month for an extra IP address when they can connect unlimited numbers of devices to the net using a $40 NAT box.
Sounds like a conspiracy... ISPs charging orders of magnitude more than cost for additional addresses "forcing" people to use NAT.
The NAT war has been over for years, NAT won. The problem is that the IETF still has not come to terms with that fact.
I don't think anyone has won here, there are just casualties all over the place: more work for the IETF and vendors, less functionality for the users.
The Internet was designed to be a network of networks. The core architecture is NOT end-to-end, that is a political shiboleth that has been imposed later.
Suppose for the sake of argument that the above is a valid position, and that we would actually want to make NAT work. What we need to do then is extend it such that it becomes possible to address hosts behind a NAT from the public internet. That should be perfectly doable, in essence we'd be redefining the protocol and port numbers to be part of the address. However, this means these must now also be put in the DNS and in most other places where IP addresses show up. So this adds up to a HUGE amount of new work.
Guess what: we already did pretty much the same thing with IPv6. The logical conclusion here is that we can save a lot of time and effort by simply adding IPv6 to the mix, as it is just a hair shy of being ready for full deployment, while all this stuff to make NAT actually work is all over the place.
In the case of H323 the problem is not just NAT, it is the derranged protocol which uses a block of 3000 odd TCP/IP ports to receive messages on. there is no way that this is consistent with good firewall management
So now you are complaining because after you install a firewall, it turns out the thing does its job? The whole idea that decent security can be had by allowing packets with certain port numbers in them in and not others is fatally flawed, as it just makes for an arms race between firewall vendors that inspect deeper and deeper into packes and firewall bypass utilities that tunnel the real protocol through more and more layers of accepted protocols.
What we need is "corporate zone alarm" like functionality, where firewalls get to see which applications (and users) are trying to communicate with the outside world, rather than guess based on the port number in the packet. This would allow some very nice features such as blocking vulnerable versions of applications but allowing patched versions of the same application.