Use the "capture" command (this is also in 6.3, debug packet has been deprecated for a while now".

This is a much more powerful command, allowing you to capture on both input and output interfaces simultaneously, then even save the packet capture off in pcap format so you can look at it with Sniffer/Ethereal. Very cool command.

Sample scenario:

Problem:

User on the Inside with an IP of 192.168.1.8 is having a problem accessing

Cisco.com (198.133.219.25). The user is getting NATed to 1.1.1.8

Step 1: Create ACL for both Inside and Outside Interface specifying the pre-NAT'd source and destination traffic in both directions

Access-list out permit tcp host 1.1.1.8 host 198.133.219.25 eq 80

Access-list out permit tcp host 198.133.219.25 eq 80 host 1.1.1.8

Access-list in permit tcp host 192.168.1.8 host 198.133.219.25 eq 80

Access-list in permit tcp host 198.133.219.25 eq 80 host 192.168.1.8

Step 2: Create captures on both Inside and Outside Interface

capture out-web access-list out buffer 700000 interface outside packet-length 1518

capture in-web access-list in buffer 700000 interface inside packet-length 1518

Step 3: Have Inside user access www.cisco.com

Step 4: Copy the captures off to a TFTP server

copy capture:out-web tftp://10.1.1.10 pcap

copy capture:in-web tftp://10.1.1.10 pcap

OR copy using https:

http server enable

http 0.0.0.0 0.0.0.0 outside

https:///capture/out-web/pcap

You can research it further here:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/c.htm#wp1910869