Hello Edward,
Thank you for your response. I think my explanation was not very good, so i will explain it a little bit more in detail.
1. For example we have a Server in the DMZ and a client in the Intranet. Now the Client want to connect to the Server. So he sends a TCP Syn to the ASA, the ASA makes an ARP Request, gets an answer from the Server an forwards the Paket. This is the normal behaviour.
If the Server is down. The ASA makes an ARP Request an doesn't get an answer, so the client gets an Timout and waits for a long time and also doesn't get an answer. I would expect the ASA to send an ICMP Host unreachable message back to the Client after a ARP Timeout . So the Application of the Client immidiatly prints an Error Message.
This is also important for us Administrators. If we Ping a Host in the DMZ we don't get an Answer. Now it could be the Firewall dropping the Paket or the host is down. If we would get an Host unreachable message, we would know that the Server is down and its not the firewall dropping the Paket.
2. This question was similar. For example we have a Host which is only reachable form a special subnet. If a Administrtor want to debug if he can reach this Host, he Pings the Host. He doesn't get an Answer because the Firewall drops it. So now again the Question is, if a Firewall is dropping it or if the Server is down or anything else is going wrong. For some ACLs it would be helpful to configure the ASA to send back an ICMP Unreachable Communication Administratively Prohibited (this could also be any other ICMP ERROR Message, or TCP Reset). So the debugging would be a lot easier.
It would also be good to send these Error Messages only to the intranet and not in the internet.
I hope it is a little bit clearer, what my question is.
Regards,
Benjamin
