Re: policy static nat question / Error in Cisco's configuration
To further answer your initial question, the 'global address overlaps with mask' command, these types of error messages imply that you are trying to NAT a high number of hosts to an unequal number of IP addresses. In this case, the original access-list leverages an access-list containing 30 possible host IP addresses which must map to a single given IP address.
That is all fine and good, but the above behavior for the two configurations on my FWSM seems to contradict page 12-13 of the FWSM config guide which provided an example that implies it's possible to NAT more than one address to a single address using Policy Static NAT.
For the above scenario what I think you are trying to do is to configure static NAT for two different IP host (x and y) to a single mapped IP (a.a.a.a) and you are getting below error.
ERROR: access-list used in static has different local addresses
Firewall is intelligent enough to tell us that this setup will not work since static NAT is bi-directional.
For ex: if client on external network tries to access our mapped IP (a.a.a.a), firewall cannot UN-NAT to two different internal IP (x and y) hence it does not allow us to configure with two different IP to single IP address in the first place.
If you try the same configuration with single network in acl to a mapped IP you will not have any error.
For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), you can initiate traffic to and from the real host. However, the destination address in the access list is only used for traffic initiated by the real host. For traffic to the real host from the destination network, the source address is not checked, and the first matching NAT rule for the real host address is used. So if you configure static policy NAT such as the following:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 126.96.36.199 255.255.255.224
Then when hosts on the 10.1.2.0/27 network access 188.8.131.52/24, they are translated to corresponding addresses on the 184.108.40.206/27 network. But any host on the outside can access the mapped addresses 220.127.116.11/27, and not just hosts on the 18.104.22.168/24 network.
For the same reason (the source address is not checked for traffic to the real host), you cannot use policy static NAT to translate different real addresses to the same mapped address. For example, two inside hosts, 10.1.1.1 and 10.1.1.2, that you want to be translated to 22.214.171.124. When outside host 126.96.36.199 connects to 188.8.131.52, then the connection goes to 10.1.1.1. When outside host 184.108.40.206 connects to the same mapped address, 220.127.116.11, you want the connection to go to 10.1.1.2. However, because the destination address in the access list is not checked for traffic to the real host, then the first ACE that matches the real host is used. Since the first ACE is for 10.1.1.1, then all inbound connections sourced from 18.104.22.168 and 22.214.171.124 and destined to 126.96.36.199 will have their destination address translated to 10.1.1.1.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...