But filtering packets because you don't have a routing destination is not done by a firewall. If I send a packet destined for 253.7.7.7 to a pure router, it will get dropped.
The routing engine on the outside port has a destination for 15.x.x.x. Those packets go into the NAT engine. It does not have a destination for 10.x.x.x. Those packets suffer the same fate they would if you gave them to any router in the middle of the internet. Nowhere to send, abort.
The routing engine on the outside port has a destination for 15.x.x.x. Those packets go into the NAT engine. It does not have a destination for 10.x.x.x. Those packets suffer the same fate they would if you gave them to any router in the middle of the internet. Nowhere to send, abort.