Hi diederik Thank you for your input, I have noted this and will try to lab it, However, I have re-configured my ACL and now 90% of my requirement is working fine. Here is the new ACL: access-list 190 10 deny ip any any vlan 850 access-list 190 20 permit ip any any So this tells ve 850 if you receive the packet from the firewall, dont put it in the wildcard VIP and route it normally. I can now from Vlan 10 send traffic to Vlan 20 and my firewall can see it. I have ping it as well as used RDP and both are working great. there is only one thing strange happens: in InterVlan traffic, the firewall sees duplicate packets (two packets). so if you 192.168.10.100 ping 192.168.20.100, the firewall sees two packets and not one. This only happens with InterVlan Routing, if I ping 8.8.8.8, the firewall sees only one packet. However, the computers do not see these duplicates packet, from their perspective it is fine. I have crossed check with Wireshark. Firewall tcpdump tcpdump -ni igb0 host 192.168.10.100 and icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on igb0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:05:23.530228 IP 192.168.20.100 > 192.168.10.100: ICMP echo request, id 1, seq 3920, length 40 16:05:23.530239 IP 192.168.20.100 > 192.168.10.100: ICMP echo request, id 1, seq 3920, length 40 16:05:23.530978 IP 192.168.10.100 > 192.168.20.100: ICMP echo reply, id 1, seq 3920, length 40 16:05:23.530982 IP 192.168.10.100 > 192.168.20.100: ICMP echo reply, id 1, seq 3920, length 40 Firewall tcpdump tcpdump -ni igb0 host 192.168.10.100 and host 192.168.20.100 18:26:37.443725 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33049:33122, ack 331456, win 1798, length 73 18:26:37.443726 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33049:33122, ack 331456, win 1798, length 73 18:26:37.443975 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33122:33195, ack 331456, win 1798, length 73 18:26:37.443976 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33122:33195, ack 331456, win 1798, length 73 18:26:37.802975 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33195:33268, ack 331710, win 1797, length 73 18:26:37.802978 IP 192.168.10.100.55809 > 192.168.20.100.3389: Flags [P.], seq 33195:33268, ack 331710, win 1797, length 73 Here is the tracert from 192.168.20.100 to 192.168.10.100 C:\Users\hashim>tracert -d 192.168.10.100 Tracing route to 192.168.10.100 over a maximum of 30 hops 1 25 ms <1 ms <1 ms 192.168.2.74 2 <1 ms <1 ms <1 ms 192.168.2.74 3 <1 ms <1 ms <1 ms 192.168.20.1 4 1 ms 1 ms 1 ms 192.168.10.100 Trace complete. I was expecting the tracert to be something like 1 25 ms <1 ms <1 ms 192.168.20.1 2 <1 ms <1 ms <1 ms 192.168.2.74 3 <1 ms <1 ms <1 ms 192.168.2.75 4 1 ms 1 ms 1 ms 192.168.10.100 so everthing is working fine now, except this little issue, let me know if there is anything can be done on this. Thanks for your support.