Does the Cisco ASA send a reset when a packet is denied by configured access-list ?
This depends on the configuration of the access-list – is it applied for inbound or outbound traffic on an interface & if there is any “service reset” command as specified here:
service resetinbound:
Sends TCP resets for all inbound TCP sessions that attempt to transit the adaptive security appliance and are denied by the adaptive security appliance based on access lists or AAA settings.
service resetoutbound: (Default)
Sends TCP resets for all outbound TCP sessions that attempt to transit the adaptive security appliance and are denied by the adaptive security appliance based on access lists or AAA settings.
service resetoutside:
Enables resets for TCP packets that terminate at the least secure interface and are denied by the adaptive security appliance based on access lists or AAA settings.
resetinbound ----> Send reset to a denied inbound TCP packet
resetoutbound ----> Send reset to a denied outbound TCP packet
resetoutside ----> Send reset to a denied TCP packet to outside interface
By default (service resetoutbound), Cisco ASA sends an explicit TCP reset for connections terminating at the Cisco ASA Firewall, if it is denied by access-list that is configured to block outbound connections like this:
access-list OUT line 1 extended deny ip host 1.1.1.1 host 2.2.2.2
access-group OUT out interface outside
For the same access-list, if it is configured for inbound access-list, the connection will be dropped without any discard being sent out:
access-list OUT line 1 extended deny ip host 1.1.1.1 host 2.2.2.2
access-group OUT in interface outside
Reference: