Can't NAT RDP protocol through 2 ASA Firewalls

I have (2) ASA Firewalls across a single site. The first NAT's my public IP to private (call it zone 1) of 172.16.0.0 while the second one routes between 172.16 and 10.0 (call this zone 2).
I want a public IP to NAT RDP 3389 traffic to an IP in zone 2; so it has to traverse both firewalls to do this. FW 1 has routes to the 10 network by going through FW2. So I'm wanting to go from public straight to zone 2. I adde the NAT statement (call it 4.2.2.1 to 10.0.0.23) and did an allow ACL on the outside interface of FW1. The Packet tracer in ASDM shows that this works. On FW2 the ACL says anything from outside (172.16) can go to inside host 10.0.0.23 and the packet tracer shows that it can. I can ping from hosts in 172.16 range to 10.0. range. But, when I RDP from outside nad hit the NAT, the 10.0. hsot never responds. Can ayone tell me how to proceed troubleshooting this please? One interesting thing: when I add the public IP to the initial NAT rule, it tells me that I must use the interface name because apparently the outside interface on FW1 actually has this same IP assigned to it. Is this an issue and why? Thanks all! This is fairly urgent and I wish I could award more than 500. Small Visio attached shortly.
stretched silly admin.
marksheeksAsked:
Who is Participating?
 
harbor235Connect With a Mentor Commented:


Does your security policy allow for RDP inbound on both FWs? Remember to adjust for the NAT, the challenge here would be to craft an outside ACL that allows the unsolicitaed TCp session from the outside through via the first FW, the source must be a public IP, the second tier must have an outside ACL for the RDp session and the NAT'd source address, can you post the RDP outside acl entries and your nat configs?

harbor235;}
0
 
marksheeksAuthor Commented:
this is a high level visio
dw1.jpg
0
 
marksheeksAuthor Commented:
thanks this is useful. So, we can RPD through the first FW to a host in the 172.16 but not straight through both FW's. I see no NAT entries in the second FW; it just routes between 172 and 10. I'm assuming then the policy allows RDP into the 172 but maybe I need another NAT on the second FW?? I cna ping from 172 to 10 w/o any NAT's. It just routes.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
marksheeksAuthor Commented:
i will post config stuff this morning. the NAT on outside FW is pointed to the 10.0 host beyond the 2nd FW. Will this work at all or does it need to get NAT'd twice (each time it traverses a FW)? Also, is the fact that I'm using the outside IP actually assigned to the FW1 outside interface for a NAT going to be a problem?
0
 
harbor235Connect With a Mentor Commented:

It will be nat's twice if nat is configured on the inside FW as well, you do not need to run nat in both Fws but you will then need to allow a source address of 172.x.x.x destined to the inside server to port 3389.

I need to see your configs to be sure,

harbor235 ;}
0
 
marksheeksAuthor Commented:
doesnt look like I can really post configs so awarding points. Thanks for all your help. You rock dude
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.