Thanks for the reply.

1.)  The capture is from the RV220.

2.) I do indeed have a static route configured, e.g.

route inside 10.0.3.0 255.255.255.0 10.0.1.140 1

I don't think I have anything blocking the traffic, but here is my access list and nat config:

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

access-list inbound extended permit icmp any any echo-reply inactive
access-list inbound extended deny ip object-group attackers any
access-list inbound extended permit tcp any any eq ftp inactive
access-list inbound extended permit tcp any any eq www
access-list inbound extended permit tcp any any eq ssh
access-list inbound extended permit tcp any any eq smtp
access-list inbound extended permit tcp any any object-group geoserver inactive
access-list inbound extended permit tcp any any object-group postgres inactive
access-list inbound extended permit icmp any any
access-list vpnsplit extended permit ip 10.0.1.0 255.255.255.0 172.16.22.0 255.255.255.0
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 172.16.22.0 255.255.255.0
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat extended permit ip 10.0.3.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list inside_access_in extended deny ip any object-group netflix-ip inactive
access-list inside_access_in extended permit gre any somevpn 255.252.0.0
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended deny ip any 8.0.0.0 255.0.0.0 inactive
access-list inside_access_in extended deny ip any object-group facebook-ip inactive
access-list inside_access_in extended deny ip any object-group spotify-ip inactive
access-list inside_access_in extended deny ip any 216.235.80.0 255.255.240.0 inactive
access-list inside_access_in extended deny ip any object-group limelight-ip
access-list inside_access_in extended deny ip any object-group pandora-ip inactive
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip host 10.0.1.46 any inactive
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit udp any any eq ntp
access-list inside_access_in extended permit icmp any any

Also, I noticed something interesting.  Here is a packet-trace from a computer from one subnet trying to remote into the other. It seems that it is hitting the rule [nat (inside) 1 0.0.0.0 0.0.0.0], but I thought my NAT rule was exempting traffic between these two subnets for NAT.  Am I doing something wrong?

 packet-tracer input inside tcp 10.0.1.46 33000 10.0.3.151 3389

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.3.0        255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
object-group service DM_INLINE_TCP_1 tcp
 group-object ftpdatatls
 group-object ftptls
 group-object gtalk
 group-object imapssl
 group-object smtp2
 group-object smtpssl
 group-object sqlserver
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq smtp
 port-object eq ssh
 port-object eq telnet
 group-object internetradio
 port-object eq whois
 group-object webmail
 group-object rdp
 group-object mtbogcweb
 group-object git
 group-object iCloudSMTP
 group-object whm
 group-object utahsde
 port-object eq 1401
 port-object eq 5442
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 10.0.1.0 255.255.255.0 inside 10.0.3.0 255.255.255.0
    NAT exempt
    translate_hits = 23, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
  match ip inside 10.0.3.0 255.255.255.0 inside 10.0.1.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 23
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 77684, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

One more thing.  Here is something interesting from the 220's logs, not sure what it means though:

Tue Apr 22 22:39:44 2014(MST) [rv220w][Kernel][KERNEL] NO CONNTRACK FOUND [DROP]  IN=LAN  OUT=WAN SRC=10.0.3.151 DST=10.0.1.46 PROTO=TCP SPT=3389 DPT=55600 
Tue Apr 22 22:39:49 2014(MST) [rv220w][Kernel][KERNEL] NO CONNTRACK FOUND [DROP]  IN=LAN  OUT=WAN SRC=10.0.3.151 DST=10.0.1.46 PROTO=TCP SPT=3389 DPT=55600 

When the mode is changed to Router, the Firewall rules are still active. Meaning that by default WAN to LAN is forbidden. You need to have access rule which allow WAN to LAN trafic

Yeah I know.  I added the WAN to LAN allow all rule in the firewall settings.  Plus, LAN to WAN also has the same problem (both directions), which does not appear to be reset when you change the router mode anyways.

You can test if the problem is caused by RV220 or is some routing issue with ASA5500.

Connect a PC directly to the RV220 WAN port, another to the LAN port, configure all with static IPs and test the RDC.

I have tested RV220 with default configuration in router mode and I cannot replicate this problem.

That is a good idea.  I will try this in a bit.

So, it appears to be the ASA, as when I configure 2 hosts statically as you suggested, everything works fine.  Do you see anything in my config that is making the ASA not play nice?  I posted my access-list and NAT settings at the bottom. 

I'm glade that narrow down the problem to one device, but can't really help with the ASA configuration. It is an Enterprise device and I'm afraid the ASA support engineers do not look in the Small Business Forum very often. 

If ASA is under warranty, maybe it's better to contact the TAC support directly. Hereby the contacts: http://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html.

Regards,

Kremena

Okay, well thank you for your help.  I do not believe the ASA is under warranty anymore, would I need to purchase a service contract then?