This sounds like you need some form of reflexive NAT rule. What is curious is that one subnet can access the other. Does this one subnet perchance have a router associated with it that knows how to get to the other range and is doing some form of address translation?
To try to summarize, your Shorewall will need to know how to translate traffic from one zone, which it may try to route to the 'public' interface and reflect this back to the private interface of the other zone, while providing address translation to the new zone. I don't know the commands to tell you specifically how to do this in Shorewall (as I use a different security appliance), but I had to create some rules to this effect.