I have a couple of questions.
When I am appling an access-list "in" to the DMZ interface, how does that work? What I mean is, from the outside int to the DMZ int that would be "in" right? Also, from the inside to the DMZ, that would be "in" also right? I am trying to write an access-list, but having some issues with the direction for whatever reason.
I have a passive FTP situation.
Server (192.168.45.6) ---> DMZ int ---> outside int --- SFTP (control port: 10021) (Passive port: 34000 to 34050). Inspect is turned on for ftp.
Here are my outside and DMZ AL
access-list 201 extended permit tcp any host 192.168.45.6 eq 10021
access-list 201 extended permit tcp any host 192.168.45.6 range 34000 34050
access-list 201 extended permit tcp host 192.168.45.6 any eq 10021
access-list 201 extended permit tcp host 192.168.45.6 any range 34000 34050
access-list 200 extended permit tcp any host XX.24.139.XX eq 10021
access-list 200 extended permit tcp any host XX.24.139.XX range 34000 34050
I think I can remove my lines from my outside int because the connection is starting from the DMZ int, but not sure if the DMZ AL is correct? Thoughts?
I see that I misunderstood what you were trying to do. I was assuming that the clients would be the ones initiating the traffic--not the server.
In that case, you wouldn't need the outside ACL as the return traffic will be allowed once the original outbound connection gets built.
Also, see below for the answers to your other questions:
[Q]: If I understand you correctly, if I am sending traffic from my ftp server on my DMZ to the DMZ interface that would be in the "in" direction correct?
[A]: Yes, this is exactly right.
[Q]: So if I have my DMZ ACL "in" it's really blocking traffic coming into the interface, traversing the FW? Correct?
[A]: Yes, this is correct as well. Since there is an implicit 'deny ip any any' at the end of every ACL, applying your DMZ ACL inbound on the DMZ interface would only allow TCP/10021 and TCP/34000-34050 traffic to and from the 192.168.45.6 server. All other traffic that hits the DMZ interface would be dropped by the ASA.
[Q]: Also, if I want to restrict traffic coming into the DMZ, would I put the ACL in the "out" direction? Is that right?
[A]: Well, this would work but you will rarely see it done this way. The reason for this is that an ACL applied in the "out" direction will be one of the last things considered when deciding how to pass traffic. So, you waste processing time putting packets through all of the security checks, NAT, etc. if after all of that you just decide to drop the packet anyway. Instead, you would want to restrict traffic as it ingresses into the ASA (i.e. in the "in" direction). However, one thing to keep in mind is that the ASA will allow all traffic by default from a high security interface to a low security interface, and the ASA will deny all traffic by default from a low security interface to a high security interface. So, you won't have to restrict traffic coming into the DMZ from the outside interface, for example--this will already be denied due to the security levels. If you wanted to restrict traffic coming into the DMZ from, for example, the inside interface, then you would be better off denying it in an ACL in the "in" direction on the inside interface, rather than the "out" direction on the DMZ interface.
Does that make sense?