Here's the problem we've encountered, was hoping you guys could help me debug what the heck is going on:
In the below diagram, computers on 10.20.1.x cannot ping anything on the 10.20.3.x subnet (Including Firewall B).
However, Firewall A can ping Firewall B and the .3.x server so it's not a VLAN routing problem.
The strange thing is that according to the ASDM Packet trace on Firewall A (Screenshot), packets are allowed to travel freely between the internal pc's and the .3.x subnet servers.
I'm positive the fault lies with Firewall A, but the running config file is way too big to post here so I'll try dig out what looks relevant.
We have the following NAT rule which I would have though was the solution but that doesn't seem to help:
static (inside,bt_dmz) 10.20.1.0 10.20.1.0 netmask 255.255.255.0
(bt_dmz is the interface on Firewall A that runs through to the 10.20.3.x subnet)
We also have icmp permitted:
icmp permit 10.20.1.0 255.255.255.0 inside
icmp permit 10.20.2.0 255.255.255.0 dmz
icmp permit 10.20.3.0 255.255.255.0 bt_dmz
Access list rule:
access-list outside_access_in_dmz extended permit icmp any any
If Firewall A can ping Firewall B and the server, it feels like routing between VLANS is ok but why then can I not ping the server on that VLAN from my internal PC? Could there be a conflicting rule?