My thinking is usually packet oriented. If you are dealing with a tcp connection failing, I find it is easy to get "just enough" information by matching on the syn flag.
access-list 101 permit tcp any any syn debug ip packet detail 101 That is usually yields enough information to see if the device is getting the packet, if it has been nat'd, and if it responds. Since we are matching on syn's, it will ignore established connections and no further filtering is typically necessary.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
