3.2 Hide NAT (Many-to-One)

Key Takeaways

  • Hide NAT maps many internal hosts to a single public IP (typically the gateway's external IP) using port translation
  • It is outbound only — external hosts cannot initiate connections to internal hosts through Hide NAT
  • The default Hide mode is "Hide behind gateway" — the gateway's external interface IP is used as the translated source
  • Hide NAT is the standard method for giving internal clients outbound Internet access
  • The gateway maintains a stateful port mapping in the connections table so return traffic is reverse-translated to the correct internal host
Last updated: July 2026

What Hide NAT Does

Hide NAT (sometimes called PAT, Port Address Translation, in vendor-neutral literature) is the many-to-one form of Network Address Translation. Many internal source IP addresses are rewritten to one public IP address, and the source port is rewritten so the gateway can keep each conversation distinct in its connections table.

On a Check Point R82 gateway, the typical Hide NAT rule looks like this in the NAT Rule Base:

Original SourceOriginal DestinationOriginal ServiceTranslated SourceTranslated DestinationTranslated Service
Internal-NetAnyAnyGateway-External-IP (Hide behind gateway)OriginalOriginal

When an internal host at 10.1.1.50 opens a connection to 198.51.100.10:443, the gateway rewrites the source to its own external IP (say 203.0.113.5) and assigns a new source port (say 50432). The packet the Internet sees comes from 203.0.113.5:50432. When the reply arrives at 203.0.113.5:50432, the gateway looks up that tuple in its connections table, restores the source to 10.1.1.50, and forwards it inside.

When to Use Hide NAT

Hide NAT is the right choice when:

  • Internal clients need outbound Internet access and you do not want to assign each one a public IP.
  • You want to hide internal host count and topology behind a single public address.
  • Inbound initiation is not required from those hosts — they are clients, not servers.
  • You are conserving public address space. Many enterprises own only a small block of public IPs and cannot afford one per internal host.

Hide NAT is the default method for client-side Internet access in most Check Point deployments. If the gateway has only one public IP and no published servers, every internal host can still reach the Internet through Hide NAT.

Two Flavors of Hide

In SmartConsole, when you enable Automatic NAT on a network object and choose Hide, you pick a translation method:

  • Hide behind gateway — uses the gateway's external interface IP as the translated source. This is by far the most common configuration and the one CCSA scenarios usually assume.
  • Hide behind IP — uses a specific public IP that you specify, which must be an address the gateway is authorized to use (routed to it, or for which it answers ARP). This is used when the gateway's own IP must remain reserved for gateway-originated traffic, or when a pool of Hide addresses is allocated.

A third variant, Hide behind network object, lets you select an existing object (a host or network) as the translated source, useful when the same translated address must be reused across multiple rules.

Limitations of Hide NAT

The exam tests the limitations as much as the mechanics. Memorize these:

  1. No inbound connections. Because the gateway picks the source port dynamically and many internal hosts share the one public IP, there is no stable external "port + IP" that maps to a single internal server. External hosts cannot initiate to a Hide-NATted host. If you need to publish a server, you must use Static NAT.
  2. ICMP limitations. ICMP is connectionless. Hide NAT can translate ICMP echoes, but more complex ICMP flows (and some UDP-based protocols with fixed ports) can break under many-to-one translation. Some protocols embed IP addresses in the payload (FTP active mode, SIP); for those, the gateway runs an ALG (Application Layer Gateway) that rewrites the embedded addresses. FTP ALG is on by default in R82.
  3. Source port exhaustion. Under extreme load, the gateway can run out of source ports on the Hide IP. Each connection consumes a tuple; a single IP supports roughly 65,000 ports per destination-service pair. ClusterXL environments mitigate this by spreading connections across members, each maintaining its own state.
  4. Logging. Logs show the translated (post-NAT) source by default in the firewall log; enabling NAT rendering in the log view shows both original and translated addresses, which is essential for incident analysis.

How the Gateway Demultiplexes

The connections table is the secret. Each entry stores both the original and translated 5-tuple. The lookup key on inbound packets is (gateway IP, gateway-chosen source port, remote IP, remote port, protocol). On a hit, the gateway restores the original internal source and forwards. This is why state synchronization matters in ClusterXL: if a failover occurs, the backup member must already have those translations in its table to keep existing connections alive.

Hide NAT and Access Control

Hide NAT does not bypass Access Control. The internal client still needs an Access Control rule allowing it to reach the original destination on the original service. The rule is evaluated with the original, pre-NAT addresses. NAT translation happens after the access decision in the connection-establishment flow (the kernel evaluates Access Control, then applies NAT to the outgoing packet), so Access Control rules must reference the internal network, not the gateway's external IP.

A Worked Example

A small office has 50 internal hosts on 10.1.1.0/24 behind a Check Point gateway whose external IP is 203.0.113.10. The administrator enables Automatic NAT on the 10.1.1.0/24 network object, choosing Hide behind gateway. After policy install, every outbound packet from 10.1.1.x appears on the Internet as 203.0.113.10 with a remapped source port. External sites cannot tell how many internal hosts exist. No external host can initiate a connection to any internal host — there is no way to address them. To publish the office web server, the administrator must add a separate Static NAT rule, not modify the Hide rule.

Test Your Knowledge

An administrator enables Hide NAT behind the gateway for the internal 10.1.1.0/24 network. Which statement is true?

A
B
C
D
Test Your Knowledge

An internal client at 10.1.1.50 connects to an external web server. In the firewall log, what does the source address show by default?

A
B
C
D
Test Your Knowledge

Which scenario is the strongest fit for Hide NAT?

A
B
C
D