I'm trying to understand why an acl rule would be enabled in the firewall (outside int) for any source to a specific host on the inside using https, while there is not nat for this host and nothing pointing to it from the outside (dns records etc)?
So if I understood you correctly you have a rule on the ACL that is attached to your ASAs external interface that points to a local IP address on your LAN?
First with regards to the NAT I would like to confirm which ASA software version you are using? 8.2 (and below) or 8.3 (and newer)? Reason is that naturally in the newer softwares the traffic is always allowed to the local IP address even when there is a NAT configured. Though then again you said that there is no NAT for this internal host towards the external network.
Only thing I can really think of right now is that you might be controlling traffic inbound from some VPN connection to this server. In this situation it would be natural to allow the traffic to the local IP address though I would have to say that source "any" in that case would not really be ideal (atleast in the new software)
If you are even controlling traffic incoming from VPN connections you would be using non default setting on the ASA which would be
no sysopt connection permit-vpn
You can check if this is configured with the following command
show run all sysopt
If you see the first command in the output it means your external ACL controls connections coming from all VPN connections. If you see the same command WITHOUT the "no" then it means that all connections from VPNs bypass the external interface ACL.
So to me it seems the following
If you are using software 8.3 (or newer) and there is no NAT configurations for this internal host then its either a useless rule OR there its a rule for some VPN connections (if the traffic is controlled in the previously mentioned way)
If you are using software 8.2 (or older) then the reason for such rule would probably be related to VPN connections (if the traffic is controlled in the previously mentioned way)
Or the rule is some old configuration that has not been deleted or its a missconfigured rule.
Without seeing the configuration this is what I would guess.
You can naturally monitor the connections through your firewall and check does the ACL have any hitcount?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :