If I configure a deny access-list on my fwsms, it seems that they just drop the packet without any response to the client. If a client wants to establish a denied connection no response occurs and the client falls into a timeout.
Isn't there an option to not only drop a denied connection but response to it with a tcp/rst?
This would mean, that the client gets an immediate response instead of waiting for a timeout.
Thanks for ideas
A good option if you REALLY REALLY want to have this feature.
I don't like overusing same security levels. Problems with connection (which is inbound which is outbound?), xlates (do you create xlates or not, which way will xlate bypass still work?) other considerations... most solved by unicast RPF but as I said, I'm not a fan.
It's just my personal opinion but the benefits are too small - mostly because of being silent the FWSM start generating lots of potential traffic.