Can you run a packet sniffer on the test server 192.168.63.205 and see if the ping packets are making it there?

Another test I would do it place the two failing hosts on the same host, also migrate the edge device to that host (so all traffic is host local).

If that works then the issue might be something with the vlan routing that is backing the isolation.

Also... what type of network pool is this backed with?  VLAN, VCNI, VxLan, NSX?

So what you are saying is that you imported a VM into a network that is based on 192.168.10.0/24, but it has an IP of 192.168.63.177 and you didn't customize it.

Firebird89 wrote:

So the router will have a rule set based on 192.168.10.0/24 (10.1 - 10.255) ....

Did you re-customize this guest to say the Default Gateway is 192.168.10.1?  Ideally, you would want to re-customize the guest to actually use an IP from the 192.168.10.0/24 network. so that it's part of the actual network schema, not some manual IP given by something else.

The ping works to 192.168.10.1 probably because it'll see the ICMP request and reply, as it's the only gateway on the inside of the NAT network.

From the outside in 10.3 -> 192.168.63.177 would fail since the return route won't use the correct gateway given the VM configuration.

If the 192.168.11.1 is a routed network on the same edge gateway device, then it might work since it's internal to the GW and a known address.

the last one I can't explain in scenario 3 without seeing an actual network topology, and complete IP config of the source NIC Card, nat rules (SNAT vs 1:1, etc)