I came across this utility NATProbe, this tool will try to sends ICMP packets out to the LAN, and will detect all the hosts that allow NAT. Now with this tool you can find bugs in your corporate network or even find hosts that allow outgoing internet connections.
This reminds me of one of my Penetration Testing assignment where we found out there was a Squid based proxy server, it was fully patched and very well maintained but somehow I felt let me see if i can put it as a gateway to my host and access internet.As soon as the network card was up with new gateway settings. The internet worked without a problem and was much faster. We downloaded a OpenSuSE Live CD ISO file and the full 700MB was downloaded in under 13 minutes. So we surely had full access to internet without any bandwidth caps or logging. If we tried to use the proxy server in the browser we were asked to authenticate against Active Directory server but when we used it as a gateway, it worked perfectly fine. Later we came to know that it NAT was enabled during the installation! What a disaster that was by the admin.
If i had to scan for IP's all over the network for NAT enabled hosts, it would have taken sometime but this tool NATProbe. Just start this tool and wait for results. This tool has surely made life of penetration testers easy as well as for Admins who would like to know if employee has enabled NAT for quick p2p sharing for internet sharing.
This tool is hosted at Google Code