I have 2 pix 525 (7.1.2) and i need to setup a very complex configuration about NAT. I explain better the problem.
My internal networks, for example 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 192.168.4.0/24, need to reach 2 DMZ (192.168.100.0/24 and 192.168.200.0/24) through this 2 pix 525. I need very complex NAT configuration with many static nat, dynamic nat, identity nat and nat per destination.
For example all internal networks 192.168.1.0/24 must reach 192.168.200.1 with PAT and this is ok and works correctly no problem (global 192.168.200.244).
Network 192.168.100.0/24 must reach 192.168.2.1 with static identity policy nat and 192.168.2.2 with static policy nat (xlate with 192.168.100.244). I configured this correclty and works.
The problem is when i need to configure some or all inside networks to reach some ip on 2 dmz with identity nat.
For example 192.168.1.0/24 192.168.2.0/24 must reach 192.168.200.6 and 192.168.3.0/24 192.168.4.0/24 reach 192.168.100.9 all without nat.
So i configured nat exemption wth access-list to permit identity translation form internal nets to hosts on dmz.
But i receive an error: "INFO: Outside address overlap with static NAT configuration".
The problem is that configured static policy nat include ip address like 192.168.2.1 that overlap with nat exemption. If i configure identity nat on 192.168.2.1 no error is reported. So i think that nat exemption and identity nat works
on separate processes ... but i don't know.
Can you give me an advice to resolve this problem of overlapping nat?
I need more and more flexibility because many clients connect to servers per destination with nat or identity nat.