Cisco ASA Firewall

http://www.networksa.org/?p=298

logging enable
logging timestamp
logging buffered warnings
logging buffer-size 65000
logging list acl-messages message 106023
 ##106023, which according to Cisco is always generated when an ACL denies a packet,
logging list acl-messages message 106023
logging monitor acl-messages
logging console acl-messages

Traceroute through ASA
ASA Packet capture
Cisco ASA Firewall Best Practices for Firewall Deployment
packet-tracer

QOS

http://brian-kayser.blogspot.com/2010/10/doing-asa-quality-of-service-qos.html
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

Capture

(on shell connection)
 conf t
 access-list 99 extended permit tcp any host 10.0.0.1 eq 25
Ctrl-Z
capture TEST int inside access-list 99 buffer 1024000

Then try the connection to the outside IP from the app server, once that fails, do a "show capture TEST"
(to disable, do "no capture TEST")

...