Misconfigured NAT and Routing
After you have verified that the packets are reaching to the router's interface and are not being dropped by the ACL, verify if you have configured a destination NAT. If so, verify if the NAT translation is being built up or not by executing show ip nat translation. If the proper translation is built up, be sure there is a route for the destination you are trying to reach by executing show ip route destination_ip/network. If you do not find a route, define one for the destination network. Note that the initial packet must leave the router before the inspection engine inspects and creates a session with SIS_OPENING. As discussed earlier, debug ip packet detail ACL can be used in conjunction with the show commands mentioned in this section to determine if the failure of the initial packet is caused either by the NAT or by routing. However, it is beyond the scope of this chapter to go through NAT or routing troubleshooting. However, the debug ip nat command can assist in getting details on why NAT is not working.