The reason being if the destination resides in the same layer three boundary (same subnet) then the source will do an ARP request and find the destinations MAC. From there the source node will send the data directly to the destination's MAC.
There is no man in the middle (firewall) to filter this traffic. If you were routing between networks and the firewall was in the middle it would work.
You can't deny network traffic when the source and destination are in the same network address. However, if you still want to block access between these 2 devices (assuming both these devices are physically connected to the same Cisco L2 switches), you'll need to configure Private VLAN, on those switchports. This will work like a charm.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...