User guide
Using NAT Rules
426 Check Point Safe@Office User Guide
Supported NAT Rule Types
The Safe@Office appliance enables you to define the following types of custom NAT
rules:
• Static NAT (or One-to-One NAT). Translation of an IP address range to another IP
address range of the same size.
This type of NAT rule allows the mapping of Internet IP addresses or address ranges
to hosts inside the internal network. This is useful if you want each computer in your
private network to have its own Internet IP addresses.
• Hide NAT (or Many-to-One NAT). Translation of an IP address range to a single IP
address.
This type of NAT rule enables you to share a single public Internet IP address among
several computers, by “hiding” the private IP addresses of the internal computers
behind the Safe@Office appliance’s single Internet IP address. For more information
on Hide NAT, see How Does Hide NAT Work? on page 427.
• Few-to-Many NAT. Translation of a smaller IP address range to a larger IP
address range.
When this type of NAT rule is used, static NAT is used to map the IP addresses in the
smaller range to the IP addresses at the beginning of the larger range. The remaining
IP addresses in the larger range remain unused.
• Many-to-Few NAT. Translation of a larger IP address range to a smaller IP
address range.
When this type of NAT rule is used, static NAT is used to map the IP addresses in the
larger range to all but the final IP address in the smaller range. Hide NAT is then used
to map all of the remaining IP addresses in the larger range to the final IP address in
the smaller range.
• Service-Based NAT. Translation of a connection's original service to a different
service.
The Safe@Office appliance also supports implicitly defined NAT rules. Such rules are
created automatically upon the following events:
• Hide NAT is enabled on an internal network
• An Allow and Forward firewall rule is defined