Best rule to use to determine whether or not a device is up?
The MARS has a built in system rule named "System Rule: Inactive CS-MARS Reporting Device", which triggers an incident whenever the "Inactive CS-MARS reporting device" event is generated. The event, in turn, is generated when the MARS has not heard from a device in 10 minutes and contains the IP address of the inactive device. This is the closest that you'll find on the MARS to the functionality you describe.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...