it protects inside networks bcoz only one ip address is seen outside the network which corresponds to all your private networks for eg if 18.104.22.168 /8 is ur network and its getting mapped to some 192.x.x.x no one on the outside knws ur ip add 22.214.171.124 only ur public ip
and if theres no mapping in the nat table for the addresses in your network then we cannot reach them from the outside directly
i guess this could be one way to put it
if any corrections please suggest
In Cisco IP NAT there is a allow host ACL applied to a particular NAT policy (i not sure whether there is a way applying NAT policy with out a standard ACL), which means only listed host allow to access the public network (base on RFC1918 technically ISP would drop your traffic if there is not necessary NAT applied), so while users initial traffic to the public network, there will be a dynamic ACL generated by the ACL policy to temperaly allow Inbound traffic from the public network, which mean there will be not inbound traffic allowed unless its initial from inside users.
I guess above exaple would give you a brief view on how NAT can provide basic firewall protection.