I have a two part question about ACL's in/out of my DMZ.
1. If I have a client on the internal interface who needs to contact a webserver in the dmz, do I need an ACL on the Internal interface, as well as an ACL on the outgoing interface of the DMZ?
2. If an Internal host needs to access http on DMZ webserver, what is ports do I allow back from the DMZ? For instance, the Internal acl uses http(s), but I am unsure of the acl back from the webserver. I don't want to use all TCP.
1. no; the more secure inside interface will be able to reach the less secure dmz interface. the inside should be security level 100, while the dmz should be 50-25, etc. depending on what you set it too;
just watch your nat's. You'll probably need to adjust nat (inside) 0 access-list somelist to include the private ip from inside to the dmz ip's
10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0
2. nothing. you dont need to allow anything back... that is the best part! all traffic will statefully be allowed back in. the only thing the ACL on the DMZ needs to permit is original connections; this could be bes server in a dmz going back to an internal sql server, a dmz server going out to symantec to do a virus update, etc.
there should always be an acl with a deny any any (log) applied in the dmz interface. log if you want to see what the dmz servers are trying to do ;)
Remember the whole point of the dmz is to isolate the servers in a secure "jail". they only talk to the hosts you permit them to. PERIOD