It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT), the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of addresses used for translation (which is only 1 address).
For example, my Cisco ASA 5505 took gave no errors when I entered the following:
Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address)
access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 126.96.36.199
The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2 attempts connections to 188.8.131.52
Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253.
However, in the past I also wondered if I could translate more than one real addresses and map them to one global address using the ACL and static nat combo (which amounts to static policy nat). But I have not been able to get that to work. For example, entering the following provided me with the "global address overlaps with mask" error.
Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of multiple real addresses to 1 mapped address)
access-list staticPOLICYnat line 1 extended permit ip any host 184.108.40.206
The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask"
In my experience, it is, however, possible to use dynamic policy NAT (instead of static policy NAT) to translate multiple "real" ip addresses to a single mapped/translated address.
Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address)
access-list staticPOLICYnat line 1 extended permit tcp any host 220.127.116.11
nat (inside) 2 access-list staticPOLICYnat
global (outside) 2 192.168.1.253
Being able to translate multiple source/real addresses to a single mapped/translated address can be useful in the following situation:
Distant end firewalls need a consistent IP address (instead of allowing your site's entire range) from your site when your users access the distant site's services. This is beneficial in that one would not need to configure static ip addresses just so that the other site's firewall allows the clients to traverse into their network.
If anyone knows how to translate or map multiple IP addresses to a single IP address using STATIC POLICY NAT, please do share.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...