It seems to me that an ACL wipes out the need for the security levels. Take a configuration of outside,dmz,inside interfaces. In the dmz there is a mail server that needs to talk smtp to all servers on the internet. So you create an acl allowing it to do so and apply it inbound to the dmz interface. Now, say you create a static for an inside server into the dmz interface because you want the dmz server to be able to ftp to the inside server. Doesn't the acl you applied to the dmz interface allow you to try and hit the ftp inside server on port 25? Is it normal to have to follow these "allow to any" ACEs with denys to all internal servers that have translations into the dmz?