What are you on about? NAT by design DOES block incoming connections, but only because by design it is sharing your internet connection to multiple devices via a private network with private IP addresses.
NAT allows incoming connections by any number of mechanisms, including uPNP and port forwarding. They do not need to be initiated by the client end.
The ideology of blocking incoming connections is a negative and takes away the fundamental point of the internet, an all connected network. It wasn't by design, it is a downfall which was created by the mechanism of saving IP space, but that needed to be completed as they're no IPv4's left in the world. You could not request any IPv4 blocks from organisations like ISOC since 2011, they're all out. You fell into the common misconception that the blocking of incoming connections was a design feature of NAT to boost security on the internal networks. Its actually the opposite, its a side-effect as I've said. It takes away the fundamental point of the internet, something IPv6 would restore.
My days, I write pages of text explaining why it needs to initalised by the internal host and people just don't read it then claim the same point again. Read my posts. UPnP is sent from an internal host. I can't send a UPnP packet to a public IP address, it'll tell me to get lost.
A real example, your Xbox tells your home router that its using port 3074 and to send any traffic on that port to its IP address. Xbox Live doesn't tell your router. See what I mean?