I'm unable to use Remote desktop from internet to PC in Trust zone

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

I'm unable to use Remote desktop from internet to PC in Trust zone

L2 Linker

Hello all,

I wanna Remote desktop from my PC in home to PC in my company but not success

This is my connection diagram

Untitled Diagram (1).jpg


I wanna remote to PC (belong to VLAN 123, I use several VLANs in Core switch) but not success, NAT seems not to work, there's no traffic logs

This is my config..

Virtual router config.Virtual router config.


Security rulesSecurity rules


NAT ruleNAT rule


I can remote from internet to a server in DMZ zone successfully but L3_Trust zone, so I think because of using VLAN in core switch, it requires some other config.. Please help me 🙂

P/S: The public IP in the pictures is just an example IP 

1 accepted solution

Accepted Solutions

I just found out my root issue that cause my incoming nat is not working, The reason been block is due to my dos policy, After disable the dos policy, It was working fine

View solution in original post


L7 Applicator

In your nat rule try adding source nat


your dmz may have a default route to the internet but maybe your vlans dont.

L3 Networker

take a packet capture on the firewall and the end client.

If you see the syn packet on the end client this would mean the packet is getting forwarded to the client.

Check if you recieve a syn-ack back on the firewall from the client.


If that is not the case then , check the routing on the switch. For testing in the nat rule that you have created for inbound, source nat the traffic to the trustzone interface.


Share the output of pcaps and session if this still does not resolve

L2 Linker

Thank you all for your help, I added source translation to IP of L3_Trust interface ( but still not success when Remote Desktop 😞



at this point. take a pcap on firewall and client together. Share the details.


Provide the below details


After trying rdp connection ,in the command line type

1) show session all filter source<your_public_src_ip> destination destination-port 3389

this command will list the running sessions and the left most column is session id. Select a session id

2) show session id<session_id>




Try modifying your source translation 


address type = translated address

translated address =


Thank you Sir, this is the picture of recive.pcap and drop.pcap, there's nothing in transmit.pcap and firewall.pcap. I'm sorry, due to security reason, I'm not allowed to upload capture file here is my public IP from internet zone


I also run command show session all filter source<your_public_src_ip> destination destination-port 3389 but there's no active session

I change the source translate to "translated address" but it still not working


L7 Applicator

from the cli.


ping source host


do you get replies?

Yes sir, Ping successful

change your security policy/action/log settings to session start.


attempt a connection and find connection attempt in monitor/traffic.


if you can see the session start then select magnifying glass on left column and post 

I've already choosen both Log at session start and end before 😞

L7 Applicator

in your security policy, should the destination address be and not

I think it must be but anyway, I tried changing it to or any, it's not working 😞

Of cource it wouldn't work...When using destination NAT, Security policy must contain PRE-NAT addresses and POST-NAT zones. Which means that your original configuration configuration is actually correct.


In my humble opinion your original configuration was correct (correct NAT and correct security policy). There was suggestion to set source NAT and I saw you have enabled source and destination - I would say this is wrong... I believe the suggestion was to configure source static nat and enable bidirectional. That way you should accomplish the same think create static NAT. But you shouldn't enable both source and destination in the same rule.


In the capture you can see that drop capture is filling with with the SYN, so


So my suggestion:

1. Put everything back as you configure it originally.

2. I saw that you are using service group RDP, can you confirm that this service group contain TCP port 3389?

3. Enable log on start for the security rule
4. Check traffic log for log matching your source address. send screenshot for this entry (you can hide the real addresses if you like)



  • 1 accepted solution
  • 32 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!