topic Re: The output interface as "np identity ifc", and ping fail in Network Security

The output interface as "np identity ifc", and ping failed

matthewik.lee — Sat, 14 May 2022 18:07:17 GMT

Hi sir

I use an IP 134.251.87.253 134.251.87.254 as a server IPs behind the firewall ASA.

Both servers' gateway IP is 134.251.87.237, which is a port IP on the ASA.

I can ping 134.251.87.253 134.251.87.254 from the ASA.

But from other subnets, I can only ping 134.251.87.253, cannot ping 134.251.87.254.

I do the packet-tracer for both:

ASA# packet-tracer input dxc_mgmt icmp 134.251.80.53 8 0 134.251.87.253$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacbfa8540, priority=13, domain=capture, deny=false
hits=4463289, user_data=0x2aaacab68c90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=dxc_mgmt, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca26f740, priority=1, domain=permit, deny=false
hits=10241882003, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=dxc_mgmt, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 134.251.87.253 using egress ifc RC_eNavi

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dxc_mgmt_access_in in interface dxc_mgmt
access-list dxc_mgmt_access_in remark 20190612 ITO Network request Send ICMP to network devices #019313
access-list dxc_mgmt_access_in extended permit icmp object-group grp_Mgmt_NMS object-group DM_INLINE_NETWORK_2 log default
object-group network grp_Mgmt_NMS
network-object host 134.251.80.207
network-object host 134.251.80.52
network-object host 134.251.80.53
network-object host 134.251.80.54
network-object host 134.251.80.8
network-object host 134.251.80.6
network-object host 134.251.80.200
object-group network DM_INLINE_NETWORK_2
network-object 134.251.78.144 255.255.255.240
network-object 134.251.87.224 255.255.255.224
network-object 134.251.87.96 255.255.255.224
network-object 172.30.0.0 255.255.255.128
network-object 113.21.86.32 255.255.255.248
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac9c446e0, priority=13, domain=permit, deny=false
hits=838, user_data=0x2aaabdb3c540, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=134.251.80.53, mask=255.255.255.255, icmp-type=0, tag=any
dst ip/id=134.251.87.224, mask=255.255.255.224, icmp-code=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac7f1c970, priority=0, domain=nat-per-session, deny=true
hits=735229489, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca2434a0, priority=0, domain=inspect-ip-options, deny=true
hits=156575230, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=any

ASA# packet-tracer input dxc_mgmt icmp 134.251.80.53 8 0 134.251.87.254$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacbfa8540, priority=13, domain=capture, deny=false
hits=4449627, user_data=0x2aaacab68c90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=dxc_mgmt, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca26f740, priority=1, domain=permit, deny=false
hits=10241875173, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=dxc_mgmt, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 134.251.87.254 using egress ifc identity

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca16ac60, priority=121, domain=permit, deny=false
hits=6729135, user_data=0x0, cs_id=0x0, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=identity

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac7f1c970, priority=0, domain=nat-per-session, deny=true
hits=735229265, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca2434a0, priority=0, domain=inspect-ip-options, deny=true
hits=156575138, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=any

Phase: 7
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca1ebe10, priority=208, domain=cluster-redirect, deny=false
hits=12628019, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=identity

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca1a9180, priority=66, domain=inspect-icmp, deny=false
hits=7041469, user_data=0x2aaac97ed3d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=identity

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca242fb0, priority=66, domain=inspect-icmp-error, deny=false
hits=44449213, user_data=0x2aaac97ec890, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 111925142, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: dxc_mgmt
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow

For 134.251.87.254:

output-interface: NP Identity Ifc , which is weird.

For 134.251.87.253:

output-interface: RC_eNavi, which is expected.

Also execute the command "show asp table routing" and find,

ASA# show asp table routing | i 134.251.87
in 134.251.87.254 255.255.255.255 identity <<<<<
in 134.251.87.126 255.255.255.255 identity
in 134.251.87.238 255.255.255.255 identity
in 134.251.87.125 255.255.255.255 identity
in 134.251.87.237 255.255.255.255 identity
in 134.251.87.224 255.255.255.224 RC_eNavi

Anyone can help me to why output-interface: NP Identity Ifc, which is the box self AFAIK.

Thank you a lot. Matthew

Re: The output interface as "np identity ifc", and ping fail

MHM Cisco World — Sun, 15 May 2022 16:06:20 GMT

the NAT change the Outlet interface or routing is missing for server
ping success
phase3 route-lookup select RC_eNavi

ping NOT success
phase3 route-lookup select identity

NAT select identity
SO you need
in NAT command enable route-lookup

OR

there is overlap in subnet you use for management and Server subnet.

if above is not solve issue
and traffic to Server is UDP
clear conn <- use IP of server.

Re: The output interface as "np identity ifc", and ping fail

Sheraz.Salim — Sun, 15 May 2022 14:44:51 GMT

Is the 134.251.87.254 the ASA interface IP address? could you confirm if the packet tracer command have any of the ASA's interfaces ip address in the source or dest field? Normally this behaviour shows up as "NP Identity Ifc"

Re: The output interface as "np identity ifc", and ping fail

Marius Gunnerud — Sun, 15 May 2022 20:41:42 GMT

Without seeing your ASA configuration, my first thought is that this is a NAT issue. Perhaps proxy-arp is disabled. Would you be able to post your ASA configuration (remember to remove or change any public IPs and remove usernames and passwords.)

Re: The output interface as "np identity ifc", and ping fail

matthewik.lee — Mon, 16 May 2022 01:35:00 GMT

Hi Thanks,

No interfaces use this IP 134.251.87.254

TWTPCAFW17# sh ip addr | ex una
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 134.251.78.157 255.255.255.240 CONFIG
GigabitEthernet0/1 inside 134.251.85.227 255.255.255.192 CONFIG
GigabitEthernet0/2 dxc_mgmt 134.251.84.227 255.255.255.192 CONFIG
GigabitEthernet0/3.1 RC_SMS 134.251.87.125 255.255.255.224 CONFIG
GigabitEthernet0/3.2 RC_eNavi 134.251.87.237 255.255.255.224 CONFIG
GigabitEthernet0/3.3 RC_eDM-AP 172.30.0.126 255.255.255.128 CONFIG
GigabitEthernet0/7 folink 10.0.0.1 255.255.255.0 unset
Management0/0 management 192.168.1.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 134.251.78.157 255.255.255.240 CONFIG
GigabitEthernet0/1 inside 134.251.85.227 255.255.255.192 CONFIG
GigabitEthernet0/2 dxc_mgmt 134.251.84.227 255.255.255.192 CONFIG
GigabitEthernet0/3.1 RC_SMS 134.251.87.125 255.255.255.224 CONFIG
GigabitEthernet0/3.2 RC_eNavi 134.251.87.237 255.255.255.224 CONFIG
GigabitEthernet0/3.3 RC_eDM-AP 172.30.0.126 255.255.255.128 CONFIG
GigabitEthernet0/7 folink 10.0.0.1 255.255.255.0 unset
Management0/0 management 192.168.1.1 255.255.255.0 CONFIG

Thank you.

Re: The output interface as "np identity ifc", and ping fail

matthewik.lee — Mon, 16 May 2022 01:54:09 GMT

Hi config attached. There are NATs but I cannot see any relations to the issue

Thank you Matthew

Re: The output interface as "np identity ifc", and ping fail

matthewik.lee — Mon, 16 May 2022 01:56:50 GMT

Hi not sure if config attached. Do it again. Thank you.

Re: The output interface as "np identity ifc", and ping fail

Sheraz.Salim — Mon, 16 May 2022 08:41:26 GMT

you doing a packet tracer from dxc_mgmt to RC_eNavi

interface GigabitEthernet0/2
 nameif dxc_mgmt
 security-level 80
 ip address 134.251.84.227 255.255.255.192 standby 134.251.84.228
!
interface GigabitEthernet0/3.2
 vlan 62
 nameif RC_eNavi
 security-level 32
 ip address 134.251.87.237 255.255.255.224 standby 134.251.87.238

dxc_mgmt has security level 80 where as RC_eNavi has security level 32. there is no nat rule in place from/to dxc_mgmt to RC_eNavi or vice versa. instead of sending the icmp could you do a tcp. and past the results.

also could you

Re: The output interface as "np identity ifc", and ping fail

matthewik.lee — Mon, 16 May 2022 10:14:33 GMT

Hi Sheraz,

The rules are there:

TWTPCAFW17# sh run access-group
access-group outside_access_in in interface outside
access-group dxc_mgmt_access_in in interface dxc_mgmt
access-group RC_SMS_access_in in interface RC_SMS
access-group RC_eNavi_access_in in interface RC_eNavi
access-group RC_eDM-AP_access_in in interface RC_eDM-AP
TWTPCAFW17# sh run access-list dxc_mgmt_access_in | i icmp
access-list dxc_mgmt_access_in extended permit icmp object-group grp_Mgmt_NMS object-group DM_INLINE_NETWORK_2 log default
access-list dxc_mgmt_access_in extended permit icmp object-group grp_Office_GNS01 object-group DM_INLINE_NETWORK_4
access-list dxc_mgmt_access_in extended permit icmp 134.251.80.0 255.255.248.0 object-group DM_INLINE_NETWORK_7
access-list dxc_mgmt_access_in extended permit icmp any any
TWTPCAFW17# sh run access-list RC_eNavi_access_in | i icmp
access-list RC_eNavi_access_in extended permit icmp any any
access-list RC_eNavi_access_in extended permit icmp any any echo-reply
access-list RC_eNavi_access_in extended permit icmp 134.251.87.224 255.255.255.240 any

Re: The output interface as "np identity ifc", and ping fail

Sheraz.Salim — Mon, 16 May 2022 11:14:05 GMT

in your first post you did a packet tracer 134.251.80.53 8 0 134.251.87.253

ASA# packet-tracer input dxc_mgmt icmp 134.251.80.53 8 0 134.251.87.253$

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dxc_mgmt_access_in in interface dxc_mgmt
access-list dxc_mgmt_access_in remark 20190612 ITO Network request Send ICMP to network devices #019313
access-list dxc_mgmt_access_in extended permit icmp object-group grp_Mgmt_NMS object-group DM_INLINE_NETWORK_2 log default
object-group network grp_Mgmt_NMS
network-object host 134.251.80.207
network-object host 134.251.80.52
network-object host 134.251.80.53
network-object host 134.251.80.54
network-object host 134.251.80.8
network-object host 134.251.80.6
network-object host 134.251.80.200
object-group network DM_INLINE_NETWORK_2
network-object 134.251.78.144 255.255.255.240
network-object 134.251.87.224 255.255.255.224
network-object 134.251.87.96 255.255.255.224
network-object 172.30.0.0 255.255.255.128
network-object 113.21.86.32 255.255.255.248
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac9c446e0, priority=13, domain=permit, deny=false
hits=838, user_data=0x2aaabdb3c540, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=134.251.80.53, mask=255.255.255.255, icmp-type=0, tag=any
dst ip/id=134.251.87.224, mask=255.255.255.224, icmp-code=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=any

however you dst ip seem to be different it showing up as 134.251.87.224 not 134.251.87.253

Re: The output interface as "np identity ifc", and ping fail

Sheraz.Salim — Mon, 16 May 2022 11:17:41 GMT

in your first post you did a packet tracer 134.251.80.53 8 0 134.251.87.253

ASA# packet-tracer input dxc_mgmt icmp 134.251.80.53 8 0 134.251.87.253$

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dxc_mgmt_access_in in interface dxc_mgmt
access-list dxc_mgmt_access_in remark 20190612 ITO Network request Send ICMP to network devices #019313
access-list dxc_mgmt_access_in extended permit icmp object-group grp_Mgmt_NMS object-group DM_INLINE_NETWORK_2 log default
object-group network grp_Mgmt_NMS
network-object host 134.251.80.207
network-object host 134.251.80.52
network-object host 134.251.80.53
network-object host 134.251.80.54
network-object host 134.251.80.8
network-object host 134.251.80.6
network-object host 134.251.80.200
object-group network DM_INLINE_NETWORK_2
network-object 134.251.78.144 255.255.255.240
network-object 134.251.87.224 255.255.255.224
network-object 134.251.87.96 255.255.255.224
network-object 172.30.0.0 255.255.255.128
network-object 113.21.86.32 255.255.255.248
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac9c446e0, priority=13, domain=permit, deny=false
hits=838, user_data=0x2aaabdb3c540, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=134.251.80.53, mask=255.255.255.255, icmp-type=0, tag=any
dst ip/id=134.251.87.224, mask=255.255.255.224, icmp-code=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=any

however you dst ip seem to be different it showing up as 134.251.87.224 not 134.251.87.253

can you do packe tracer on both ip addresses with detail at the end and show the output

Re: The output interface as "np identity ifc", and ping fail

MHM Cisco World — Mon, 16 May 2022 13:24:18 GMT

clear conn <Server IP>
&
timeout floating-conn 0:01:00

solve your issue here.

Re: The output interface as "np identity ifc", and ping fail

Sheraz.Salim — Mon, 16 May 2022 12:14:02 GMT

using clear conn can cause a downtime in production network traffic I wont use this command as issuing this command can cause a blip in network.

instead the save command is clear conn x.x.x.x

Re: The output interface as "np identity ifc", and ping fail

Marius Gunnerud — Mon, 16 May 2022 13:18:37 GMT

could you configure a packet capture on the RC_eNavi interface and then initiate traffic from a device that should have connectivity to the 134.251.87.254 server?

capture cap-eNavi interface RC_eNavi match ip host < test PC IP > host 134.251.87.254

show cap cap-eNavi

if you see traffic exiting the interface then all is OK with the firewall, if you do not see return traffic then there is an issue between the firewall and the server or on the server itself.

Re: The output interface as "np identity ifc", and ping fail

MHM Cisco World — Mon, 16 May 2022 13:23:40 GMT

I mention this point in my commend

clear conn <- use IP of server