Some cheap NAT devices rewrites stuff that "looks like" the internal IP addresses inside the TCP payload, in a hackish attempt to "fix" things like FTP and other protocols that send addresses in the payload. A really stupid and dangerous way to do things, but it's been known to happen.
Crazy. Has that been observed in carrier-grade NAT boxes, though? Or only in el-cheapo residential devices? It seems an incredible risk to the carriers to do things that way.
