I personally prefer to only allow traffic from the actual source network that are located behind the interface instead of specifying the source as "any" in the ACL statement.
I also tend to add a "deny ip any any" statement at the end of the interface ACL (even though it already contains Implicit Deny). This is because this will let me actually see the hitcount of denied traffic on that interface while the Implicit Deny counter cannot be seen.
Naturally if you have the "ip verify reverse-path " configured for your LAN/DMZ interface then that will already make sure that traffic is not allowed from source addresses/networks that according to ASA routing table are NOT located behind the source interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...