I'm stumped - VPN + Firebox III + ServerIron

Here's what I've got going on...

3 facilities connected via VPN tunnel. Each facility has a Watchguard Firebox III firewall in place, which is handling the VPN and providing NAT.

3 web servers that are identical content. Named web1, web2, web3. ServerIron is set to load balance between them. www.domain.com DNS points to virtualserver.domain.com, and ServerIron balances this out between web1, web2 and web3.

Here's our issue:

Internally, we can call up www.domain.com in our browser. Any customer on the outside can do so. The only people with a problem are those in our VPN tunnel connected facilities. Field offices on broadband *can* VPN in, get an internal IP and surf the page though. Initially I thought it was general VPN issue, but apparently not so.

Our other facilities *can* ping www.domain.com, and will get the IP address of web1, web2, or web3. So, it's not DNS as far as I can guess. If we type http://web1.domain.com in their browser, we go straight to the site.

So - to sum this up, offices connected via VPN link between two Watchguard Firebox III's are not getting data on port 80 sent back to them from an internal website they *can* DNS and ping. Offices without a firewall at their facility get to it fine, and anybody behind the same firewall as the web servers is also fine.

I = stumped.