This is an issue I've been struggling with for quite some time, with a seemingly simple answer (Aren't all IT problems?).
And that is the problem of passing traffic between two directly connected subnets with an ASA
While I'm aware that best practice is to have Internet -> Firewall -> Router, in many cases this isn't possible.
For example, In have an ASA with two interfaces, named OutsideNetwork (10.19.200.3/24) and InternalNetwork (10.19.4.254/24). You'd expect Outside to be able to get to, say, 10.19.4.1, or at LEAST 10.19.4.254, but pinging the interface gives only bad news.
Result of the command: "ping OutsideNetwork 10.19.4.254"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.4.254, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Naturally, you'd assume that you could add a static route, to no avail.
[ERROR] route Outsidenetwork 10.19.4.0 255.255.255.0 10.19.4.254 1
Cannot add route, connected route exists
At this point, you might gander if its a NAT or Access list problem.
access-list Outsidenetwork_access_in extended permit ip any any
access-list Internalnetwork_access_in extended permit ip any any
There is no dynamic nat (or static nat for that matter), and Unnatted traffic is permitted.
When I try pinging the above address (10.19.4.254 from Outsidenetwork), I get this error message from level 0 logging (debugging).
Routing failed to locate next hop for icmp from NP Identity Ifc:10.19.200.3/0 to Outsidenetwork:10.19.4.1/0
This led me to set same-security traffic permit, and assigned the same, lesser and greater security numbers between the two interfaces.
Am I overlooking something obvious? Is there a command to set static routes that are classified higher than connected routes?
There's a few problems in your question. First, I wouldn't naturally think that I could get to the inside network from the outside network. The ASA is a FIREWALLL not a router. If it did this, it wouldn't be doing its job. A router will do that just fine.
The second major problem is with your route command. You don't need it. You have 2 locally connected networks. The firewall knows how to reach both of them. They are directly connected. Thus, you don't need a route command to tell the firewall what the next hop is.
With that stuff out of the way, let's get to an answer. The ASA requires every network to have a security level attached to it from 0-100. A higher security level will be able to access a lower security level. A lower security level needs explicit access granted to resources at a higher level. So let's start by assigning the proper security levels:
Now your inside network is allowed to access your outside network. If you need to allow your outside network to access your inside network, you need to define that in an access-list and assign it to the interface in an access group:
But it's still not working? Probably because you need to define static mappings from one network to the other. Otherwise the firewall doesn't know what to do. Remember, this is a firewall, not a router:
That's it...you should have free flow between the 2 interfaces...really defeats the purpose of a firewall, but it seems to be what you want. At least it gives you a starting point and you can restrict traffic from there.
I'm not positive - but there's nothing apparently wrong with your setup - I think the problem is in the tests you are trying to do.
Telling the router to ping one interface with the other as a source address is something I'm not sure would work - it may assume that you mean you want the traffic to leave that interface - in which case it's correct, is has no route to that IP.
Have you tried testing connectivity from external devices, rather than from the router itself?
As long as you don't have some ACLs or NAT in place, and as long as the other devices have appropriate routes to reach this thing, I can't see any reason this isn't just plain old routing...