Try

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224

hostname(config)# nat (inside) 2 access-list NET1

hostname(config)# global (outside) 2 209.165.202.129

The above is assuming that

1) 10.1.2.0/24 is on the inside

2) 209.165.201/0/24 is reachable via the outside address

3) You want to PAT all 10.1.2.x addresses to 209.165.202.129 when the destination IP addresses are in the range 209.165.201.0/24

Jon

That is correct.

I have been trying to NAT more than one address to a single address by using static policy NAT.

access-list FOR_XLATE extended permit ip host x any

access-list FOR_XLATE extended permit ip host y any

static (inside,outside) a.a.a.a access-list FOR_XLATE

When I enter the above configurations into my FWSM, I now get the following error:

ERROR: access-list used in static has different local addresses

I do not get the above error when the configuration I enter config to NAT one address to one IP address.

access-list FOR_XLATE extended permit ip host x any

static (inside,outside) a.a.a.a access-list FOR_XLATE

That is all fine and good, but the above behavior for the two configurations on my FWSM seems to contradict page 12-13 of the FWSM config guide which provided an example that implies it's possible to NAT more than one address to a single address using Policy Static NAT.

What could be going on?

For the above scenario what I think you are trying to do is to configure static NAT for two different IP host (x and y) to a single mapped IP (a.a.a.a) and you are getting below error.

ERROR: access-list used in static has different local addresses

Firewall is intelligent enough to tell us that this setup will not work since static NAT is bi-directional. 

For ex: if client on external network tries to access our mapped IP (a.a.a.a), firewall cannot UN-NAT to two different internal IP (x and y) hence it does not allow us to configure with two different IP to single IP address in the first place.

If you try the same configuration with single network in acl to a mapped IP you will not have any error.

Extract from cisco site

 http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html

For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), you can initiate traffic to and from the real host. However, the destination address in the access list is only used for traffic initiated by the real host. For traffic to the real host from the destination network, the source address is not checked, and the first matching NAT rule for the real host address is used. So if you configure static policy NAT such as the following:

 hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224

 hostname(config)# static (inside,outside) 209.165.202.128 access-list NET1

Then when hosts on the 10.1.2.0/27 network access 209.165.201.0/24, they are translated to corresponding addresses on the 209.165.202.128/27 network. But any host on the outside can access the mapped addresses 209.165.202.128/27, and not just hosts on the 209.165.201.0/24 network.

For the same reason (the source address is not checked for traffic to the real host), you cannot use policy static NAT to translate different real addresses to the same mapped address. For example, two inside hosts, 10.1.1.1 and 10.1.1.2, that you want to be translated to 209.165.200.225. When outside host 209.165.201.1 connects to 209.165.200.225, then the connection goes to 10.1.1.1. When outside host 209.165.201.2 connects to the same mapped address, 209.165.200.225, you want the connection to go to 10.1.1.2. However, because the destination address in the access list is not checked for traffic to the real host, then the first ACE that matches the real host is used. Since the first ACE is for 10.1.1.1, then all inbound connections sourced from 209.165.201.1 and 209.165.201.2 and destined to 209.165.200.255 will have their destination address translated to 10.1.1.1.