FTD can't reach the internet or the router

moha27med · ‎02-17-2023

Hello Guys
I made this Lab in Gns3 to prepare myself for my CCNP Security exam
Everything work fine, I configure the FTD through FMC, I gave IPs for outside & inside interfaces
also, I have configured NAT and Static route, the issue is that FTD can't reach the internet (so I can't ping to 192.168.122.1)
really I don't know what is the problem, maybe could someone help me

UPDATE: there is no Problem with INTERNET ISP, I have tested with router and PC is pingable

MHM Cisco World · ‎02-17-2023

I think thr issue is in NAT cloud not in FTD.

moha27med · ‎02-18-2023

no cuz i tested the NAT cloud with router and PC, so there are no problems with it

MHM Cisco World · ‎02-18-2023

can I see the route in FTD toward the NAT cloud ? <<- you already share the show route
can you use wireshark between FTD and cloud
see if the FTD get ARP reply for it ARP request

moha27med · ‎02-18-2023

this is the output of Wireshark between FTD and Cloud, it looks like there are no connection between, right?

MHM Cisco World · ‎02-18-2023

no there is but the arp is missing.
please use workaround as I write below and check again.

MHM Cisco World · ‎02-18-2023

If you not see ARP reply then simple solution to complete your lab is
add router between the cloud and FTD
then confing NATing in router.
it is some GNS limitation I think

moha27med · ‎02-20-2023

I found the Problem, the issue in FW FTD, it can't ping to all direction also to Inside and DMZ.
There is a ping between Router and Internet,
but i still don't know why the FW doesn't ping at all, I check the ACL, but there are no restrictions

Karsten Iwen · ‎02-17-2023

You do not state how you tested. Regardless of any configuration problem in access-control, routing and NAT, you should be able to ping the next hop from the FTD itself.

Try if that works and if not, post the output of:

show int ip brief
show run route
show route
show arp

moha27med · ‎02-18-2023

See the attachment pls, these are the outputs

Karsten Iwen · ‎02-18-2023

The config looks good so that you should be able to ping the default gateway from the FTD CLI. But with the ARP table empty it is most likely that you messed up you connection between FTD and Default-Gateway inside of GNS3.

georgipetrov · ‎02-18-2023

I once had this issue, if you configured NAT and the route is fine, you might need to clear the ARP cache with ISP.

Edit: Noticing now you mentioned its a lab - in this case forget ISP

Marius Gunnerud · ‎02-18-2023

How is GNS3 installed? Is it on a Linux, Windows, VM ?

In either of these cases, my first thought would be that the Host device where GNS3 is running is not sharing its network interface with GNS3.

--
Please remember to select a correct answer and rate helpful posts

moha27med · ‎02-18-2023

It is on VM, but there is no problem with Network, because i tested already with the router and pc in the lab (can see it beside the diagram)

Marius Gunnerud · ‎02-18-2023

I am not saying there is a problem with the network, I am saying there is a problem between GNS3 and the host interface. Have you tried assigning the virtual interface to a virtual PC on the VMware host and test from it? I suspect that this will also not work.

But you say that this is VMware, is there a switch between the VMware host and 192.168.122.1? If yes how is the switch port configured (trunk, access-port)?

--
Please remember to select a correct answer and rate helpful posts