[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 624
  • Last Modified:

Can't NAT RDP protocol through 2 ASA Firewalls

I have (2) ASA Firewalls across a single site. The first NAT's my public IP to private (call it zone 1) of 172.16.0.0 while the second one routes between 172.16 and 10.0 (call this zone 2).
I want a public IP to NAT RDP 3389 traffic to an IP in zone 2; so it has to traverse both firewalls to do this. FW 1 has routes to the 10 network by going through FW2. So I'm wanting to go from public straight to zone 2. I adde the NAT statement (call it 4.2.2.1 to 10.0.0.23) and did an allow ACL on the outside interface of FW1. The Packet tracer in ASDM shows that this works. On FW2 the ACL says anything from outside (172.16) can go to inside host 10.0.0.23 and the packet tracer shows that it can. I can ping from hosts in 172.16 range to 10.0. range. But, when I RDP from outside nad hit the NAT, the 10.0. hsot never responds. Can ayone tell me how to proceed troubleshooting this please? One interesting thing: when I add the public IP to the initial NAT rule, it tells me that I must use the interface name because apparently the outside interface on FW1 actually has this same IP assigned to it. Is this an issue and why? Thanks all! This is fairly urgent and I wish I could award more than 500. Small Visio attached shortly.
stretched silly admin.
0
marksheeks
Asked:
marksheeks
  • 4
  • 2
2 Solutions
 
marksheeksAuthor Commented:
this is a high level visio
dw1.jpg
0
 
harbor235Commented:


Does your security policy allow for RDP inbound on both FWs? Remember to adjust for the NAT, the challenge here would be to craft an outside ACL that allows the unsolicitaed TCp session from the outside through via the first FW, the source must be a public IP, the second tier must have an outside ACL for the RDp session and the NAT'd source address, can you post the RDP outside acl entries and your nat configs?

harbor235;}
0
 
marksheeksAuthor Commented:
thanks this is useful. So, we can RPD through the first FW to a host in the 172.16 but not straight through both FW's. I see no NAT entries in the second FW; it just routes between 172 and 10. I'm assuming then the policy allows RDP into the 172 but maybe I need another NAT on the second FW?? I cna ping from 172 to 10 w/o any NAT's. It just routes.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
marksheeksAuthor Commented:
i will post config stuff this morning. the NAT on outside FW is pointed to the 10.0 host beyond the 2nd FW. Will this work at all or does it need to get NAT'd twice (each time it traverses a FW)? Also, is the fact that I'm using the outside IP actually assigned to the FW1 outside interface for a NAT going to be a problem?
0
 
harbor235Commented:

It will be nat's twice if nat is configured on the inside FW as well, you do not need to run nat in both Fws but you will then need to allow a source address of 172.x.x.x destined to the inside server to port 3389.

I need to see your configs to be sure,

harbor235 ;}
0
 
marksheeksAuthor Commented:
doesnt look like I can really post configs so awarding points. Thanks for all your help. You rock dude
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now