This one has really got me scracthing my head. Imagine three interfaces INSIDE, OUTSIDE and DMZ at security levels 100, 10 and 100.
Access rules are in place to permit traffic from INSIDE to DMZ and also INSIDE to OUTSIDE. There is also a 10.0.0.0/8 to 10.0.0.0/8 NAT rule (no nat really) between INSIDE - DMZ and INSIDE - OUTSIDE.
Subnets on the inside are 10.96.x.x subnets on the outside are 10.97.x.x. DMZ subnets are 172.x.x.x. All necessary specific routes are in place.
When a connection is attempted from within INSIDE to a subnet on the OUTSIDE it doesn't work, nor does it get logged as dropped. If I send some traffic that is blocked then it correctly gets logged, however here is the funny thing; within the logs it shows the destination as being within the DMZ! So my guess is that all permitted traffic is actually being wrongly routed into the DMZ instead of the OUTSIDE interface. But why? The routes are in place so why would it do this?
Is it because the NAT rules (10.0.0.0/8) are overlapping and therefore the ASA thinks it has some kind of connection open into the DMZ and uses it?
Would it help if I use dynamic NATs and only specify the specific destination subnets for each interface?
Any help would be greatly appreciated as I'm sure this is something simple.