I'm still digging into this, but have a need to not NAT any traffic starting on the inside to 2 of my lower-security interfaces (dmz1 & dmz2), but have that same traffic PATed to the interface address if it goes out outside interface.

I'm using nat (inside) 0 0.0.0.0 0.0.0.0 for the non-nating of traffic that goes from inside to dmz1 & dmz2. So, this keeps me from putting in another nat statement [like nat (inside) 1 0.0.0.0 0.0.0.0)] as that causes an error message saying the nat statements overlap. Makes a certain amount of sense.

It looks like a "static (inside,outside) interface 10.1.1.0 netmask 255.255.255.0" would be the perfect solution. But I get a "Invalid netmask with interface option" error message when I try to input that. So, that must not be able to do groups of addresses. It also only lets me do a single static to the interface address, so that is not going to fly even if I was willing to type in every host individually.

I was hoping that static command would let me overload all the inside addresses to the outside interface address when data is going out the "outside" interface, while the "nat (inside) 0" lets me non NAT anything going to dmz1 & dmz2, but no dice.

Any thoughts on what I'm missing here? There has got a be a way to do this.

Thanks!