We are in the process of migrating from an older ASA to an FTD appliance. I've had the FTD in place for our site-to-site VPN's and am now at the point where I need to migrate servers which are behind the ASA over to the FTD.

We have an externally routable subnet which we refer to as the DMZ. It's not a true DMZ per say as it is located behind the outside interface.

Attached is a diagram.

• I connected the "DMZ" interface on the FTD to an unmanaged switch, which is connected to the DMZ interface on the ASA. Our DMZ servers are also connected to the switch.
• The outside interface of the new FTD is at 72.72.72.50/28 and the DMZ interface is on a different subnet at 72.72.72.46/28
• The outside interface of the ASA is 72.72.72.52/28 and the DMZ interface is on the same subnet above at 72.72.72.33
• The two firewalls are connected to an "outside" router with the original ip route set to ip route 72.72.72.32 255.255.255.240 72.72.72.52
• I added separate IP route statements for the 4 servers we have in that subnet and deleted the statement above. 3 of the statements route traffic to the old ASA and the statement ip route 72.72.72.44 255.255.255.255 72.72.72.50 routes traffic to the new firewall.
• I also updated the default route on the server to point to the DMZ interface of the new FPR (72.72.72.46).
• I am neither able to access or ping the server from the internet nor from the outside router.
• I am able to ping the server from inside the network.
• From the server I can ping the FPR and IP's on the internet (8.8.8.8)
• I have policies in place to allow ICMP and traffic to port 443 but I see no traffic in the connection logs bound from the outside.
• I don't see any external traffic to the server when I perform a packet capture on the FTD. I do see other traffic.

I hope this answers most questions. I feel like I'm overlooking something stupid.