网络工程 - ASA 和 ICMP - 通过 aspdrop 看不到丢包 - 为什么会发生丢包？ - 吾爱随笔录

从一个 SRC 到几个 DST 的 ping 操作，我可以看到一些尝试在我的捕获中发生了一些下降，而对于其他尝试则没有。想知道我如何才能看到下面我的测试中列出的所有到达的 icmp 数据包到底发生了什么。谢谢！

拓扑：

ASA 配置 - 准备粘贴到 GNS3：

!-- Test lab script
En

Conf t
Hostname US

Int gi0
Ip address 172.30.1.1 255.255.255.0
Nameif backend
Security-level 50
No shut

Int gi1
Ip address 10.15.99.129 255.255.255.0
Nameif data_admin
Security-level 50
No shut

Same-security-traffic permit inter-interface

Object network host_10.15.99.129
  host 10.15.99.129

Object network host_10.59.2.137
  host 10.59.2.137

Access-list backend line 1 extended permit ip any any
Access-list backend line 1 extended permit icmp any any echo
Access-list data_admin line 1 extended permit ip any any
Access-list data_admin line 1 extended permit icmp any any echo

Access-group backend in int backend
Access-group data_admin in int data_admin

route backend 10.80.55.0 255.255.255.0 172.30.1.2

Nat (data_admin,backend) source static host_10.15.99.129 host_10.59.2.137

Class-map icmp-class
  match any
Exit

Policy-map icmp_policy
  class icmp-class
    inspect icmp
Exit

Service-policy icmp_policy interface backend
Service-policy icmp_policy interface data_admin

Capture capin int backend match icmp any any
Capture capout int data_admin match icmp any any
Capture aspdrop type asp-drop all match ip any any

数据包捕获：

!-- From PC to NAT IP of data_admin interface (FW)
9 packets captured

   2: 04:27:33.064129 10.80.55.50 > 10.59.2.137: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
   5: 04:27:35.046445 10.80.55.50 > 10.59.2.137: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
   7: 04:27:37.105936 10.80.55.50 > 10.59.2.137: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
   8: 04:27:39.090586 10.80.55.50 > 10.59.2.137: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
   9: 04:27:41.117944 10.80.55.50 > 10.59.2.137: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

!-- From PC to interface IP of data_admin interface (FW)
Nothing

!-- From PC to data_admin router interface 
12 packets captured

   5: 19:24:07.343045 10.80.55.50 > 10.15.99.130: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
   6: 19:24:09.287643 10.80.55.50 > 10.15.99.130: icmp: echo request
   7: 19:24:11.370510 10.80.55.50 > 10.15.99.130: icmp: echo request
  10: 19:24:13.166022 10.80.55.50 > 10.15.99.130: icmp: echo request
  11: 19:24:15.201863 10.80.55.50 > 10.15.99.130: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
  12: 19:24:17.262223 10.80.55.50 > 10.15.99.130: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

一旦我们回答了为什么我看不到这些水滴的问题。我想知道为什么这些首先会被丢弃。我已经尝试过将服务策略设置为全局、在默认类中设置检查策略或全局设置检查，所有这些都具有相同的结果。最终，尽管 ACL 对 icmp 和津贴的检查不应该说明一切吗？