Q1. I understand that for server initiated connections hitting internet we use source group to translate "private ip" of service to an internet routable "public ip".What if the server initiated connections are not for internet but for some internal host connected via a router that routes "service ip's" to css.
Q2. what is the significance of "bypass" feature in CSS ACL.
lets say we have 2 services (10.10.10.1 & 10.10.10.2) behind a vip 200.200.200.200 and each servers needs to call the vip for some pages.
what will be the difference between the following two ACLs
group outbond_nat
vip 200.200.200.1
active
option#1
clause 10 permit any 10.10.10.0 255.255.255.0 content <rule> sourcegroup outband_nat
clause 20 permit any any destination any
option#2
clause 10 permit any 10.10.10.0 255.255.255.0 content <rule> sourcegroup outband_nat
clause 20 bypass 10.10.10.0 255.255.255.0 destination any
clause 30 permit any any destination any
Q3 IS it needed to create an ACL for established connections? for example if the services initiate connection to internet then do we need ACLs on the circuit facing internet.
Thanks in advance
d.