IO540
I don't think there is any way to hack a standard NAT router.
Wash your mouth out with soap young man.
For a start, in the non "hacker" territory, UpNp can work all sorts of nasty magic behind your back.
And in the "hacker" territory, NAT is considered "security by obscurity", it is not a recognised form of security. Shock horror, not even its designers intended it to be a security measure
Examples of possible routes in :
(1) Remember a router is basically a miniature computer plus OS. Break the OS and you break the router (and/or can get access to re-configure to enable bypass) Pleanty of examples of DoS and other attacks against routers (for one of many examples, google "Cute Little Cisco NAT DoS")
(2) Malicious packets can be passed through NAT device and cause issues during reassembly. Similarly, tricks can be played with TCP flags.
(3) All sorts of spoofing attacks.
The list could go on. But the point is, NAT != Security.