John, two possible ways you can experiment. First possibility is to allow all NAS ip as * on NPS so it does not matter if the NAS ip is nat'ed which is different from the originator ip. If it works, you will need to lock down the ACL and NAT rules on ASA to prevent unauthorised access. Second possibility is the put a destination NAT rule on the ASA (where the NPS terminated) so the source ip of the RADIUS packet would has the same source IP as if coming from the ZD, eg: ZD is 10.10.0.1, while your NPS side of the ASA would say the packet coming from the ZD would leave the ASA interface with 10.10.0.1 as the source ip replacing the public IP address of the ZD side of the ASA outside interface. But you need to have the corresponding rule on the NPS side of ASA so the return packet back to 10.10.0.1 will know the way back to the ZD via the ASA.
Final possibility to redesign the implementation is to create ipsec site to site tunnel between the two ASAs so RADIUS would just work.
Hope it helps.