NAT (Network Address Translation) allows for use of internal ip addresses within a network. This is necessary as there are simply not enough unique IP address for every device on the internet to get one. With NAT, all devices within the network share one IP address for external traffic, but are assigned different internal ip addresses, which may be similar to other ip addresses outside the network, but this poses no problem as they are internal to the particular network. Now on to how this differs from firewall.
Clients who think NAT suffices as a firewall have a misunderstanding of these two functions.
Think of NAT as the old mailroom at a corporation. Inbound packages coming to the corporate address is reviewed and the mailroom adds the recipient's cube number for inside delivery. Packages arriving without a valid recipient are simply discarded. Outbound packages pass through the mailroom to the appropriate letter carrier or shipper. NAT performs the same function with inbound and outbound packets.
Now add a security element to the mailroom. Inbound packages get run through an x-ray machine and bomb detection process. Contents are examined to insure no harmful or prohibited items. The return address may be checked and if the packageis from a particular address or location, it may be blocked. Having passed through security, the mailroom adds the recipient's cube number for inside delivery. Outbound packages are likewise run past security. Packages destined to certain addresses, or containing certain items, are blocked and returned to the inside sender. His manager receives a report as to what was blocked and why. This is the function a firewall performs on packets inbound and outbound to the company.