Troubleshooting PIX Access-Lists?

What are some good tools/methods for troubleshooting PIX access-list
issues? For example, say that I'm blocking all outbound smtp for all
machines with the exception of our authorized email servers (as noted
in sample below). The email admin stops by one morning and says that
he can no longer send smtp to external clients from internal email
server 172.28.12.16 but the server has tested OK. How can I verify
that smtp traffic is indeed showing up at the internal pix interface
and passing thru the pix to external clients?

"sample" access-list >>

access-list net_in permit tcp host 172.28.12.14 any eq smtp
access-list net_in permit tcp host 172.28.12.15 any eq smtp
access-list net_in permit tcp host 172.28.12.16 any eq smtp
access-list net_in deny tcp any any eq smtp
access-list net_in permit ip any any

Scenario 2 -

I allow www access from outside interface to several internal web
servers but one day the web admin says that the internal "web server3
- 172.28.12.5" is no longer responding to www from outside requests
but is responding to www via internal requests?

"sample" access-list >>

static (inside,outside) 15.31.208.195 172.28.12.5 netmask
255.255.255.255 0 0
static (inside,outside) 15.31.208.196 172.28.12.6 netmask
255.255.255.255 0 0
static (inside,outside) 15.31.208.197 172.28.12.16 netmask
255.255.255.255 0 0
access-list inbound permit tcp any host 12.31.208.195 eq www
access-list inbound permit tcp any host 12.31.208.196 eq www
access-list inbound permit tcp any host 12.31.208.197 eq smtp


I need a way to quickly troubleshoot these type of issues either via
Telnet "CLI" or the PDM.

Thoughts? TIA!

 

:What are some good tools/methods for troubleshooting PIX access-list
:issues?

PIX 6.3, create an ACL to match the traffic of interest, and create
a 'capture'. That'll allow you to grab the packets themselves.

Beyond that, you use 'debug' commands to observe the variety of
behaviour you suspect to be errant.