Hi sir

I use an IP 134.251.87.253 134.251.87.254 as a server IPs behind the firewall ASA.

Both servers' gateway IP is 134.251.87.237, which is a port IP on the ASA.

I can ping 134.251.87.253 134.251.87.254  from the ASA.

But from other subnets, I can only ping 134.251.87.253, cannot ping 134.251.87.254.

I do the packet-tracer for both:

ASA# packet-tracer input dxc_mgmt icmp 134.251.80.53 8 0 134.251.87.253$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacbfa8540, priority=13, domain=capture, deny=false
hits=4463289, user_data=0x2aaacab68c90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=dxc_mgmt, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca26f740, priority=1, domain=permit, deny=false
hits=10241882003, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=dxc_mgmt, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 134.251.87.253 using egress ifc RC_eNavi

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dxc_mgmt_access_in in interface dxc_mgmt
access-list dxc_mgmt_access_in remark 20190612 ITO Network request Send ICMP to network devices #019313
access-list dxc_mgmt_access_in extended permit icmp object-group grp_Mgmt_NMS object-group DM_INLINE_NETWORK_2 log default
object-group network grp_Mgmt_NMS
network-object host 134.251.80.207
network-object host 134.251.80.52
network-object host 134.251.80.53
network-object host 134.251.80.54
network-object host 134.251.80.8
network-object host 134.251.80.6
network-object host 134.251.80.200
object-group network DM_INLINE_NETWORK_2
network-object 134.251.78.144 255.255.255.240
network-object 134.251.87.224 255.255.255.224
network-object 134.251.87.96 255.255.255.224
network-object 172.30.0.0 255.255.255.128
network-object 113.21.86.32 255.255.255.248
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac9c446e0, priority=13, domain=permit, deny=false
hits=838, user_data=0x2aaabdb3c540, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=134.251.80.53, mask=255.255.255.255, icmp-type=0, tag=any
dst ip/id=134.251.87.224, mask=255.255.255.224, icmp-code=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac7f1c970, priority=0, domain=nat-per-session, deny=true
hits=735229489, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca2434a0, priority=0, domain=inspect-ip-options, deny=true
hits=156575230, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=any

ASA# packet-tracer input dxc_mgmt icmp 134.251.80.53 8 0 134.251.87.254$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacbfa8540, priority=13, domain=capture, deny=false
hits=4449627, user_data=0x2aaacab68c90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=dxc_mgmt, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca26f740, priority=1, domain=permit, deny=false
hits=10241875173, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=dxc_mgmt, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 134.251.87.254 using egress ifc identity

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca16ac60, priority=121, domain=permit, deny=false
hits=6729135, user_data=0x0, cs_id=0x0, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=identity

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac7f1c970, priority=0, domain=nat-per-session, deny=true
hits=735229265, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca2434a0, priority=0, domain=inspect-ip-options, deny=true
hits=156575138, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=any

Phase: 7
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca1ebe10, priority=208, domain=cluster-redirect, deny=false
hits=12628019, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=identity

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca1a9180, priority=66, domain=inspect-icmp, deny=false
hits=7041469, user_data=0x2aaac97ed3d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=identity

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaca242fb0, priority=66, domain=inspect-icmp-error, deny=false
hits=44449213, user_data=0x2aaac97ec890, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=dxc_mgmt, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 111925142, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: dxc_mgmt
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow

For 134.251.87.254:

output-interface: NP Identity Ifc , which is weird.

For 134.251.87.253:

output-interface: RC_eNavi, which is expected.

Also execute the command "show asp table routing" and find,

ASA# show asp table routing | i 134.251.87
in 134.251.87.254 255.255.255.255 identity <<<<<
in 134.251.87.126 255.255.255.255 identity
in 134.251.87.238 255.255.255.255 identity
in 134.251.87.125 255.255.255.255 identity
in 134.251.87.237 255.255.255.255 identity
in 134.251.87.224 255.255.255.224 RC_eNavi

Anyone can help me to why output-interface: NP Identity Ifc, which is the box self AFAIK.

Thank you a lot. Matthew