Francesco,

The interface is defined as:

interface GigabitEthernet1/3.224
description Servers Network
vlan 224
nameif Servers
security-level 90

The config for interfaces is:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

The ACL entries are:

source = any

destination = objIdentrustCRL

service = tcp/http

port = 80

The ACL gets hits each time I run the certutil....but the response is always a timeout

OK, a little more recon.  I did a show access-list for my aclServersIN and it showed:

access-list aclServersIN line 1 extended permit tcp any host 192.147.157.157

access-list aclServersIN line 2 extended permit tcp any host 192.35.177.153

access-list aclServersIN line 3 extended permit tcp any host 23.196.105.43

access-list aclServersIN line 4 extended permit tcp any host 192.35.177.69

which appears correct.  Then I saw the actual real-time log for this and it showed 

access-list aclServersIN permitted tcp Servers/192.168.0.235(56096)->outside/192.35.177.153(80) hitcnt 1 first hit

This looks like it should (to me), but should I not see a "return" entry for the data coming back?  Or does it only show the outgoing logs?

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.03.14 06:52:53 =~=~=~=~=~=~=~=~=~=~=~=
$ tcp 192.168.0.235 12345 192.35.177.153 80 detailpacket-tracer input servers tcp 192.168.0.235 12345 192.35.177$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 20.4.141.2 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group aclServersIN in interface Servers
access-list aclServersIN extended permit tcp any object-group ObjIdentrustCRL eq www log
object-group network ObjIdentrustCRL
description: Identrust
network-object object Identrust_CRL
network-object object IdentrustCRL2
network-object object DISAintermediateCRL
network-object object ldapeca.identrust.com
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd524b6380, priority=13, domain=permit, deny=false
hits=9, user_data=0x7fcd6056bf40, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=192.35.177.153, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=Servers, output_ifc=any

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map Servers-class
match any
policy-map Servers-policy
description Set to allow UDP/SMTP email out of the system
class Servers-class
set connection conn-max 0 embryonic-conn-max 1000 random-sequence-number enable
service-policy Servers-policy interface Servers
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd6d31d7e0, priority=8, domain=conn-set, deny=false
hits=78447519, user_data=0x7fcd6d31b110, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Servers, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network objServers
nat (Servers,outside) dynamic PatIP
Additional Information:
Dynamic translate 192.168.0.235/12345 to 20.4.141.6/12345
Forward Flow based lookup yields rule:
in id=0x7fcd6d37c5b0, priority=6, domain=nat, deny=false
hits=2191987, user_data=0x7fcd6d37b890, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.224, mask=255.255.255.240, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Servers, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd6acbced0, priority=0, domain=nat-per-session, deny=false
hits=24138281, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd6bde0a40, priority=0, domain=inspect-ip-options, deny=true
hits=26913387, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Servers, output_ifc=any

Phase: 7
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map Servers-class
match any
policy-map Servers-policy
description Set to allow UDP/SMTP email out of the system
class Servers-class
sfr fail-open
service-policy Servers-policy interface Servers
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd6d319590, priority=73, domain=sfr, deny=false
hits=12224127, user_data=0x7fcd6d319130, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Servers, output_ifc=any

Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fcd6d2d1c90, priority=0, domain=user-statistics, deny=false
hits=2492233, user_data=0x7fcd6d1e4f70, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fcd6acbced0, priority=0, domain=nat-per-session, deny=false
hits=24138283, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fcd6ba04e20, priority=0, domain=inspect-ip-options, deny=true
hits=2487786, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fcd6d2d9990, priority=0, domain=user-statistics, deny=false
hits=26740056, user_data=0x7fcd6d1e4f70, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Servers

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 27571343, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_sfr
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_sfr
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Servers
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow