We have the scenario attached in this post, where we have the same subnet (172.21.0.0/16) behind our DMZ and our management interfaces on our Cisco ASA.
Supposing we can’t modify our subnets, and we want to use source routing on the ASA as below:
Can you please propose a solution to this problem on ASA (any workaround, any possible alternative configuration).
Thanks in advance.
What you are trying to do is called PBR which is not supported on the ASA firewall. The stateful algorithm of it wouldnt allow it to effectively track the TCP sessions, so that could lead to an insecure environment, here is a better explanation:
A. Unfortunately, there is no way to do policy-based routing on the ASA at this time. It can be a feature that is added to the ASA in the future.
This is the document:
Hope it helps
PS, I could not make the font smaller, sorry about that.
firstly you wont be able to perform any source based routing on asa
so the alternative is that you have a network static nat for one of the network for example
nat network behind any one interface to another network x.x.x.0 and ask users to connect to x.x.x.0 network
if even this does not work then i guess put a router behind asa and do source based routing on that