Command statements for the static command cannot contain overlapping IP addresses. When IP addresses are overlapped, PIX Firewall experiences service denials without sending denial statements to syslog. [CSCdp22217] In this caveat report, an FTP session was attempted but was denied without a denial message sent to syslog.
For example, the following command statements do not work:
nat (inside) 0 10.0.0.0 255.0.0.0
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,perim1) 10.64.0.0 10.64.0.0 netmask 255.255.0.0
In this example, the nat 0 command statement enables the identity feature so that any host on the 10.0.0.0 network can start connections to a lower security level interface. The first static command statement lets all hosts on the inside 10.0.0.0 network be visible on the outside network. The second static statement attempts to use a subset of the 10.0.0.0 address range on another interface. Because 10.64.0.0 is a part of the 10.0.0.0 range of addresses, the addresses overlap.