Forum Discussion
Another way to solve this is to have the DMZ servers pointing to the firewall as normal as the default gateway but add a secondary IP to the firewall interface.
You then configure an IP Pool for the VPN users on the same network range as the secondary IP range. You also enable proxy arp on the Network Access policy so that the APM responds to ARP requests correctly and the firewall picks up the responses on the secondary IP range. What would happen is that the APM routes to the secondary IP on the firewall and then back out the interface to the DMZ Servers. The DMZ Servers would route to the original default gateway then back out the same interface to the IP Pool configured.
However you lose the original source IP which I believe you want to keep (although you can see which clients had what pool IP in the logs which is better than using SNAT). Welcome to the wonderful world of network engineering :) You will need to either implement the static routes, manage your design differently or take the option above as a compromise but would require a bit more looking up of client to pool IPs if there are any issues.