I have 5 different VLANs created on the FWSM each one with different security levels. I have version 3.7 in single context mode and NAT disabled.
From traffic flowing from one interface with security level of 100 (called inside) to another with security level of 20 (called WEB) I need to create an access-list and apply it on the inside of the inside interface to permit traffic to the WEB interface, but I don't need to create an access-list on the WEB interface in order to permit the return traffic, is this correct?
If I want that some host on the WEB interface have access to the inside host I need to create an access-list and apply it inside on the Web interface and I need to create an access-list on the inside interface in order to permit the return traffic? I am confused with the concept of security levels because I cannot see any advantage in defining different security levels.
With a stateful firewall you do not need access-lists to allow the return traffic as that is what stateful firewalls do. So in your case
Inside -> Web - you only need access-list on inside interface
Web -> Inside - you only need access-list on WEB interface.
Note in the above 2 examples we are talking about where the connection is initiated from and not referring to return traffic.
On standalone pix/asa devices traffic is allowed from a higher to a lower security interface without an access-list. Only the FWSM requires and access-list no matter what the security level. I admit this can be a bit confusing.