duplicate xlate

Your second translation applies to all internal devices in the 192.168.*.* subnet. Your first translation applies to the internal device 192.168.1.1 192.168.1.1 is, though, part of 192.168.*.*, so you have overlapping translations.

You are violating the constraint that "you cannot use the same local address in static NAT or static PAT commands"; see

the section "Order of NAT Commands Used to Match Local Addresses"

Notice in that section that regular static commands do not look for "best match" or "longest match": you are simply not -allowed- to use the same address this way.

In practice, consider what happens if an -incoming- packet is addressed to 99.99.99.99. According to your first static, the translation

99.99.99.99192.168.1.1 should be created. But now suppose there is an incoming packet addressed to 192.168.1.1: that is not 99.99.99.99 so the first translation does not apply, but the second translation does, so the translation 192.168.1.1192.168.1.1 would be created.

To fix your problem, code

access-list AlmostIdentity deny ip host 192.168.1.1 any access-list AlmostIdentity permit ip 192.168.0.0 255.255.0.0 any

static (inside,outside) 99.99.99.99 192.168.1.1 netmask 255.255.255.255 static (inside,outside) 192.168.0.0 access-list AlmostIdentity

This requires PIX 6.3 though. If you have PIX 6.2 or earlier, code

access-list AlmostIdentity deny ip host 192.168.1.1 any access-list AlmostIdentity permit ip 192.168.0.0 255.255.0.0 any static (inside,outside) 99.99.99.99 192.168.1.1 netmask 255.255.255.255 nat (inside) 0 access-list AlmostIdentity

You can also use this second form in PIX 6.3. The nat 0 form has a subtle difference from the static form: the nat 0 form does not support proxy arp.