I'm the originator of this thread, but the logins to these forums are so screwed up I'm not sure I'm logged in as me. Anyway... I tried having both tcp://*:5900 and tcp://<lan address range>:1024-65535 in the NC ACL at the same time. This should absolutely take care of the problem, but it didn't.
What's particularly irritating is that when I first put this box in production, it worked. We could VNC to remote clients just fine. No change has been made (at least not by me), but now it doesn't work. I tried updating the software to 6.5 and that didn't make any difference.
As I think I mentioned in my original post, I used Wireshark to monitor both the LAN client and the remote VPN client. During the attempt to connect with VNC, the LAN client showed it was sending packets, but the remote client was receiving nothing.