Your question "..need to permit traffic to application layer https?" - are you referring to how to permit https traffic for application access from outside to inside?
If this is you're looking at, pls see example below:
What you need to do is to map your internal server IP (running application accessible via https) to a public IP and use access -list (ACL) to allow only HTTPS to pass through from outside to inside/internal (to your internal server). Once ready, bind the ACL to the outside interface.
access-list outside permit tcp any host xx.xx.xx.10 eq https <--- access-list allowing incoming https traffic only
access-list outside deny ip any any <-- deny other unwanted traffic. Make sure this parameter is the last one in your ACL.
access-group outside in interface outside <-- bind ACL outside to your outside (eth0) interface
static (inside,outside) xx.xx.xx.10 aa.aa.aa.50 netmask 255.255.255.255 <--- map you aa.aa.aa.50 (internal server IP) to a public IP
route outside 0 0 xx.xx.xx.1 <---- default route for PIX pointing to your internet router
Test connectivity using ICMP/ping from outside (ping from internet router or internet) to your server temporary opening the ICMP in the same outside ACL. Remove this if ping is successful.
access-list outside permit icmp any host xx.xx.xx.10
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...