As I was writing this down I think the solution came to me. As usual.
I'll write this down nevertheless to make the world a better place. =D
Let's take a look at this beauty of a network diagram :
So we have two daisy-chained ASAs and up to and including interface "outside2" all have PUBLIC IP addresses. Software is ASA 9.8 on ASA1, which this is about.
The problem is that without the identity NAT statement
nat (inside1,outside1) source static netx netx unidirectional
where netx = 1.1.1.240/29 (the network between the two ASAs), traffic does not seem to flow correctly in one of the directions at least. (Currently, I can't be more specific because I don't know exactly.) Since the private address space is PATed behind ASA2, the result is no connectivity to the Internet at all.
There is no specific routing entry on ASA1 to reach ASA2 since these networks are directly attached. ASA1 is the default route for ASA2. Also, all these interfaces have ACLs that correctly permit traffic so security levels are of no concern here. There is also no other NAT statement with (inside1,outside1) interface selection. There is no NAT statement with "any" interface whatsoever that could conflict.
The funny thing is that after removing the NAT statement in question (followed by "clear xlate"), it still takes hours for the actual Internet access to become unavailable. However, putting it back instantly resolves the problem.
I would like to understand why it seems this NAT statement is needed. (I thought the days of "NAT control", where you needed NAT statements even if nothing needed translating, were long gone…)
Best Answer
It looks like indeed the NAT statement in itself is not needed, however proxy ARP is needed here. Having that identity NAT implicitly activates proxy ARP (even if ASDM warns you not to do that). But in this case you have to.
Feel free to correct me if you think the answer/solution is wrong.