same-security-traffic permit intra-interface simply allows traffic to hairpin the interface, and disabling it disallows it. The buggy dynamic NAT is created when the FWSM sees the src IP in the header as the same as the xlate'd-to-IP. A logical equiv...
If the host 172.26.48.3, or the parent network, isn't in the NAT exempt allow, it is implicitly denied. Only if the aggregate network is in the exempt, would you explicitly need to deny it serially ahead of the allow.Sadly, ASA doesn't seem to have a...
Normal behavior: DNAT comes in. Return traffic is supposed to do SNAT out.In this case, NAT exempt is explicitly denying the reverse SNAT when going back out.This causes the ASA to DNAT coming in, but it doesn't SNAT when leaving.