Cisco ASA 5510 ASA 8.0(4) ASDM 6.1(5), with inside, outside, and DMZ interfaces.  An inside host is dynamically NATted to the outside to browse.  I've added an inside router with 2 ethernet interaces, to work with subnetting the inside network.  A host on the remote subnet can ping a host on the outside, but trying to browse to the outside as INSIDE HOST does gets an error "Deny TCP (no connection) from outside-host/80 to inside-host/port flags SYN ACK on interface inside"  In the drawing my remote host, a router away from the ASA firewall, can PING the Public HOST.  Public Host sees the ASA Public IP because dynamic NAT is applied.  Remote Host has default gateway 10.7.1.1.  Router has IP ROUTE 0.0.0.0 0.0.0.0 10.1.1.2.  ASA has IP ROUTE 10.7.0.0 10.1.1.1.  INSIDE HOST browses out successfully.

I did packet traces.  INSIDE HOST trace has SYN packet Inside Host to Destination; SYN ACK packet Destination to Inside Host; ACK packet Inside Host to Destination.  REMOTE HOST trace shows only SYN, ACK packets from Destination to Remote Host - no SYN packet.  I can't understand how the SYN, ACK from Destination shows up without the SYN packet first! 

          PUBLIC HOST (nnn.nnn.nnn.nnn)

               |

               |

          SWITCH-External

              |

              | outside

              | public IP (nnn.nnn.nnn.nnn)

DMZ----ASA Firewall

               |private IP

               | inside (10.1.1.2/16)

               |

          SWITCH-Backbone

               |

               |-----------------------------INSIDE HOST(10.1.10.127

               |
               | inside (10.1.1.1/16)

          ROUTER

               | remote(10.7.1.1)

               !

          SWITCH-Remote

               |

               |

          REMOTE HOST(10.7.1.10)