I have an ASA 5506-x running 9.8(1) with two interfaces configured for an inside bridge group, but the hosts on those interfaces cannot talk (ICMP, TCP, UDP) across the two member interfaces. Inside_2 is connected to a switch and Inside_4 is connected to an access point. I can ping hosts on both sides from the ASA but they cannot ping each other and the mac addresses for host IPs on the destination interface don't show up in the arp tables of the hosts on the source interface. Is there an additional command I need to allow arp broadcast across bridge-groups? from what I have read that is allowed by default.

The hosts on both interfaces can get to hosts on the outside interface (the internet) just fine.

Do I need to include a NAT statement to tell the two bridge group members not to NAT traffic for the other bridge group member?

I think this is all the relevant configuration commands. Is there something I am missing?

!

interface GigabitEthernet1/2

bridge-group 1

nameif Inside_2

security-level 100

!

!

interface GigabitEthernet1/4

bridge-group 1

nameif Inside_4

security-level 100

!

!

interface BVI1

nameif inside

security-level 100

ip address 10.95.x.1 255.255.255.0

!

dns domain-lookup Inside_2

dns domain-lookup Inside_4

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

icmp permit any Inside_2

icmp permit any Inside_4

!

threat-detection scanning-threat shun except ip-address 10.95.x.0 255.255.255.0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect dns preset_dns_map

inspect http

inspect ils

inspect icmp

inspect icmp error

!

service-policy global_policy global

!