How to troubleshoot access issues in Cisco ASA?

Using packet-tracer it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected.

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

The packet-tracer command lets you do the following:
-Debug all packet drops in production network.
-Verify the configuration is working as intended.
-Show all rules applicable to a packet along with the CLI lines which caused the rule addition.
-Show a time line of packet changes in a data path.
-Inject tracer packets into the data path.

The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, “packet dropped due to bad ip header (reason).”

To enable packet tracing from inside host to external host with detailed information, enter the following:

hostname# packet-tracer input inside tcp www aol detailed