At its peak there were about 20 people importing our outside interface
to inside machines.  After that we began trusting our path through the
firewall and switched to that in order to push on its harder.

The cost of importing /net is one process on the server machine per
import plus about 5 extra copies of the data due to shoving it trhough
the extra machine plus an extra header per message on the inside net
plus a bunch of context switches you wouldn't need on a nat.

The advantage is no need to worry about embedded addresses since
they would be 'real'.

For a small network, 100 or so machines, I wouldn't bother with
a NAT box and just do the import.  We're building a super-NAT
box for hiding networks the size of Lucent behind a Plan 9
box.  For that, the import surely wouldn't scale.