There is a scenario where a Cisco ASA is connected on a LAN with hosts on the LAN having the ASA's inside interface (10.10.10.100) as default gateway.
A router (10.10.10.20) is also connected to the LAN and is not in-line with the Cisco ASA (out-of-path).
The hosts need to connect to a specific destination (192.168.1.0/24) through the router and therefore the ASA firewall should forward this specific destination traffic back on its inside interface to the router.
Please see attached the topology.
I understand that both the ASA and the router can be configured to achieve this through the use of network routes, nat, same-security-traffic permit intra-interface, ACLs, classmap, PBR,....
What is the best solution?
Do you want to firewall the traffic before it gets to the router?
If not, you can do just a regular "route inside 192.168.1.0 255.255.255.0 10.10.10.20" and the ASA should forward this traffic to the router if it receives it on the inside interface. You need to add "same-security-traffic permit intra-interface" to get this working.
Not sure if you can use PBR or something like that to get it going, it'd be almost better to forward all the traffic to the router and then have the router send ICMP redirects, depends on how much traffic is flowing though.