I'm having a problem with traffic traversing the ASA on the same interface. I'll explain my configuration/setup, and then the symptoms.
I have configured my ASA 5505 with the inside interface having an IP on the internal data VLAN (VLAN 1, security level 100). It is the data VLAN's default gateway. EIGRP has populated the routing table of the ASA with the ISR that routes traffic to and from the Voice VLAN (the ISR has one interface IP on the Data VLAN and another on the Voice VLAN). I've allowed intra-interface routing on the ASA with the "same-security-traffic permit intra-interface" command, exempted NAT between the two networks on the inbound interface and setup an access rule allowing both networks access to one another.
The result is as follows:
Voice VLAN devices are able to access any resource on the data VLAN successfully. However, only ICMP works when devices on the data VLAN try to access a resource on the Voice VLAN: when I try to use telnet or http, the TCP sequence is as follows (according the Wireshark):
1. Data device sends SYN frame to Voice device. This is sent to the ASA (TCP connection built and permitted)
2. ASA forwards frame to the ISR.
3. Voice device receives the SYN and responds with SYN/ACK. This is sent to the ISR.
4. Because the ISR has an interface on the data VLAN, it is forwarded to the Data device.
5. Data device receives an ACK, but is convinced that this is an ACK for a lost segment.
6. RST sent from Data device to Voice device.
7. ASA successfully tears-down the connection due to RESET-O flag.
8. Voice device receives RST and sends SYN/ACK.
9. Data device receives SYN/ACK successfully.
I have ran this through the ASA's Packet Tracer for ICMP, TCP23 and TCP80, and it is successful each time.
What am I missing here?