Can't NAT RDP protocol through 2 ASA Firewalls

Posted on 2009-12-16
Last Modified: 2012-05-08
I have (2) ASA Firewalls across a single site. The first NAT's my public IP to private (call it zone 1) of while the second one routes between 172.16 and 10.0 (call this zone 2).
I want a public IP to NAT RDP 3389 traffic to an IP in zone 2; so it has to traverse both firewalls to do this. FW 1 has routes to the 10 network by going through FW2. So I'm wanting to go from public straight to zone 2. I adde the NAT statement (call it to and did an allow ACL on the outside interface of FW1. The Packet tracer in ASDM shows that this works. On FW2 the ACL says anything from outside (172.16) can go to inside host and the packet tracer shows that it can. I can ping from hosts in 172.16 range to 10.0. range. But, when I RDP from outside nad hit the NAT, the 10.0. hsot never responds. Can ayone tell me how to proceed troubleshooting this please? One interesting thing: when I add the public IP to the initial NAT rule, it tells me that I must use the interface name because apparently the outside interface on FW1 actually has this same IP assigned to it. Is this an issue and why? Thanks all! This is fairly urgent and I wish I could award more than 500. Small Visio attached shortly.
stretched silly admin.
Question by:marksheeks

    Author Comment

    this is a high level visio
    LVL 32

    Accepted Solution


    Does your security policy allow for RDP inbound on both FWs? Remember to adjust for the NAT, the challenge here would be to craft an outside ACL that allows the unsolicitaed TCp session from the outside through via the first FW, the source must be a public IP, the second tier must have an outside ACL for the RDp session and the NAT'd source address, can you post the RDP outside acl entries and your nat configs?


    Author Comment

    thanks this is useful. So, we can RPD through the first FW to a host in the 172.16 but not straight through both FW's. I see no NAT entries in the second FW; it just routes between 172 and 10. I'm assuming then the policy allows RDP into the 172 but maybe I need another NAT on the second FW?? I cna ping from 172 to 10 w/o any NAT's. It just routes.

    Author Comment

    i will post config stuff this morning. the NAT on outside FW is pointed to the 10.0 host beyond the 2nd FW. Will this work at all or does it need to get NAT'd twice (each time it traverses a FW)? Also, is the fact that I'm using the outside IP actually assigned to the FW1 outside interface for a NAT going to be a problem?
    LVL 32

    Assisted Solution


    It will be nat's twice if nat is configured on the inside FW as well, you do not need to run nat in both Fws but you will then need to allow a source address of 172.x.x.x destined to the inside server to port 3389.

    I need to see your configs to be sure,

    harbor235 ;}

    Author Closing Comment

    doesnt look like I can really post configs so awarding points. Thanks for all your help. You rock dude

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Suggested Solutions

    Title # Comments Views Activity
    ACLs per VPN User 12 56
    Cisco ACS TACACS 2 20
    ASA Shunning internal IP 10 12
    Cisco ACS 3415 - making a bootable USB 3 33
    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now