I've been wondering for awhile now about how people get passed NAT. I've noticed that even behind a NAT router, with no port forwarding, my software firewall still picks up a lot of attempted scans, worm probes etc. I've noticed this both on home broadband routers and larger ISP setups. I assume its done with some variations of source routing and/or spoofing but is anyone know how it is actually executed??