This is an issue I've been struggling with for quite some time, with a seemingly simple answer (Aren't all IT problems?).
And that is the problem of passing traffic between two directly connected subnets with an ASA
While I'm aware that best practice is to have Internet - Firewall - Router, in many cases this isn't possible.
For example, In have an ASA with two interfaces, named OutsideNetwork (10.19.200.3/24) and InternalNetwork (10.19.4.254/24). You'd expect Outside to be able to get to, say, 10.19.4.1, or at LEAST 10.19.4.254, but pinging the interface gives only bad news.
Result of the command: "ping OutsideNetwork 10.19.4.254"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.4.254, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Naturally, you'd assume that you could add a static route, to no avail.
[ERROR] route Outsidenetwork 10.19.4.0 255.255.255.0 10.19.4.254 1
Cannot add route, connected route exists
At this point, you might gander if its a NAT or Access list problem.
access-list Outsidenetwork_access_in extended permit ip any any
access-list Internalnetwork_access_in extended permit ip any any
There is no dynamic nat (or static nat for that matter), and Unnatted traffic is permitted.
When I try pinging the above address (10.19.4.254 from Outsidenetwork), I get this error message from level 0 logging (debugging).
Routing failed to locate next hop for icmp from NP Identity Ifc:10.19.200.3/0 to Outsidenetwork:10.19.4.1/0
This led me to set same-security traffic permit, and assigned the same, lesser and greater security numbers between the two interfaces.
Am I overlooking something obvious? Is there a command to set static routes that are classified higher than connected routes?
