Hello Mahesh,

That looks like a design issue,

As you know each interface on an ASA on routed mode needs to be on a different broadcast domain.

So that means you can access x.x.x.x over only one interface.

Do you see the problem right now? In this case the switch should have 2 different vlans one connecting to inside and the other one to DMZ.

And of course you do not need to access the DMZ subnet over the inside interface as it's directly attached to the ASA on the DMZ vlan

Hello Mahesh,

Thanks for the explanation

1>As you know each interface on an ASA on routed mode needs to be on a different broadcast domain.

So that means you can access x.x.x.x over only one interface

A/ Yes, that is correct

2-now that switch has one new subnet.so does this mean that ASA  will not be able to access that new subnet as ASA  supportsonly 1 subnet per interface?

No, what I mean is that you can access "x" network on one specific interface but you can have more than one subnet per interface ( with routing of course).

3>So when to use route inside?

As soon as you need to go across the inside interface of the ASA in order to reach a destination.

question

Can you please explain this with an example ?

Sure, here is the topology

192.168.10.0----Router----192.168.20.0-----Inside_ASA------ASA_Outside-----4.2.2.0----Internet

                                                                                 |

                                                                                 |

                                                                               DMZ

                                                                                172.16.0.0

So in this case if we want to go to 192.168.10.0 we will need to go  across the inside interface of the ASA that is where we use route inside

Regards,

Julio

Remember to rate all of the helpful post, if you have any other query regarding this just let me know, this might be tricky.