Cant access from inside zone to outside zone server in FMD

suryaaa · ‎09-24-2025

Hello,

I have created a lab but i cant ping from inside zone client pc to outside zone web server even also outside zone router.

I already asign interface on security zone & assign IP. Port are up.

Already assign policy on firewall. All permission are allow with any any.

Please help

Attach topology for understanding.

Rob Ingram · ‎09-24-2025

@suryaaa is routing in place on all devices to ensure traffic reaches the destination and the back to the source?

Ping from the firewall itself to the destination, that should be allowed as default.

Run packet-tracer on the firewall to confirm traffic is allowed in the policy and provide a clue if it is not. Provide the output for review.

suryaaa · ‎09-24-2025

Dear Rob,

Current situation is from web-server to able to ping FTD 172.16.1.10 G0/0 interface.same reverse ping also.

But from web server unable to ping FTD inside interface G0/1 or any inside ip. Same also from inside zone unable to ping outside router interface ip or web server ip.

Rob Ingram · ‎09-24-2025

@suryaaa wrote:

But from web server unable to ping FTD inside interface G0/1 or any inside ip. Same also from inside zone unable to ping outside router interface ip or web server ip.

@suryaaa you cannot ping through the FTD's outside interface to a far interface (inside), that will not work by design. Ping through the FTD, not to one of the FTD's interfaces.

Please provide a screenshot of your Access Control Policy.

For traffic from inside to outside, run packet-tracer and provide the output for review. Do the inside networks have the routes to the web server?

suryaaa · ‎09-24-2025

FTD Policy

NAT Translation

NAT Interface

Outside Router Static route for client Network

FTD Static route for access outside web server

Outside interface packet capture

inside interface packet capture

Rob Ingram · ‎09-24-2025

@suryaaa you are never going to ping from inside to outside with the rule you have there, remove the applications http and icmp and add icmp to the destination ports.

From outside to inside, the NAT rule is probably not going to help. Remove NAT altogether as it's a lab or create a static NAT/PAT for the inside object.

suryaaa · ‎09-24-2025

@Rob Ingram , already remove nat policy. Modified rule in policy. But still not ping from client pc (192.168.182.132) to web server (172.16.2.2). Please help.

suryaaa · ‎09-25-2025

Please someone reply to solve this issue.

Rob Ingram · ‎09-25-2025

@suryaaa what about running the tests already suggested?

Run packet-tracer from the CLI and provide the output for review.

Ping from the firewall itself to the destination (the web server), that should be allowed as default - if it doesn't work, then check routing on the web server and the FTD itself.

suryaaa · ‎09-25-2025

@Rob Ingram thanks for reply. I already test through wire shark for inside outside port of ftd.

I actually didn't know packet-tracer through cli. But I try to do.

From ftd successfully ping web server already I said but from client pc not pinging the webserver same also vice versa. Already shared modified policy as you mentioned earlier. Static routing also done snap also shared. No other routing in ftd.

On web server just mention the ip address & gateway. Nothing else.

Rob Ingram · ‎09-25-2025

@suryaaa packet-tracer input inside tcp 192.168.182.132 3000 172.16.2.2 80 provide the output for review. You may need to change interface name.

So the client PC has the default gateway using the IP address of the FTD IP?

suryaaa · ‎09-26-2025

@Rob Ingram , i run this command on FTD but unable to capture all output because of text out of screen

Second thing i change gateway to FTD still not work then back to Router.

MHM Cisco World · ‎09-26-2025

There are router and SW and there is PO between SW and FTD

1- check router have route to inside subnet?

2- check SW is it L2 or L3' if it L3 then you need to check it RIB if it have route for outside subnet

3- PO can also be issue' try remove it' use single link.

MHM

suryaaa · ‎09-26-2025

@MHM Cisco World i already put a static route for inside network & mention gateway next hop router interface.

Switch configures as L2.

can you please what is the meaning of PO.

Aref Alsouqi · ‎09-26-2025

Could you please share the routing table from R8 for review? alternatively, try to do the following from the PC in the 192.168.182.x subnet and share the output please?

- Ping 172.16.1.11 - This should work
- Ping 172.16.2.1 - If this doesn't work it would suggest that R8 doesn't have a route back to the subnet 192.168.182.x. In that case you need to add a static route on R8 for the 192.168.182.x poiting to the FTD outside interface (172.16.1.10). After that route is added the traffic to the server behind R8 should be successful.