I have a Cisco ASA 5512-X connected to two ISPs. The "outside" interface is our main ISP and the "cable-modem" is our second ISP that people on the guest lan will use for internet access. The default route points traffic through the outside interface and PBR is used to direct traffic for the guest lan through the cable-modem interface to the internet. 

The problems I am encountering is that IT would like to also use the guest lan as a way to test AnyConnect SSL vpn periodically when a new profile is set up. When connected to the guest lan and I try to launch the SSL VPN it times out, just like when trying it from the inside interface. I expect that behavior from the inside interface but I thought that I would be able to route this VPN traffic out the cable-modem interface to the internet then back to the outside interface to make a successful connection. I am also seeing trouble getting to resources hosted behind the DMZ (webserver & mail server). All other traffic to the internet appears to work fine, just internal resources are failing. 

The ASDM logs show the following error when trying to ping the internal webserver and mail server:

"Deny ICMP reverse path check from x.x.x.x (cable-modem public IP) to x.x.x.x (webserver public IP) on interface outside"

I get a similar tcp error when trying to load a webpage from the webserver. 

I understand that when I am trying to contact the webserver my traffic is routing to the internet then coming back in and the return traffic from the webserver is probably taking a different path back causing the packets to be dropped by the ASA. My question is, can this be done or is just a limitation by design?