Simon,
You can think of the IP address as the street address of a hotel. The different services use different TCP or UDP ports, like different hotel rooms.
If your router can do plain "static" NAT, it can give the entire building a new address. This doesn't change the room numbers, so all services are still available. That may be what you want.
The reason it gets confusing is that many routers, especially for home and small business, make it hard or impossible to change the (IP) address of the entire hotel. They prefer to move several rooms to another hotel down the street, with a different address. To improve sysadmin job security (and perhaps network security), the port numbers on the rooms may also change when they move (Port Address Translation - PAT).
That's why you may need to create access rules individually for each of the different services--rooms or groups of rooms--on the appliance. And you may need different settings for outbound connections (the appliance opens an FTP session to grab a file), than for inbound connections (you control the appliance from the Internet via VNC).
To dive a bit deeper, try the section about NAT firewalls here.