We have an outside DNS server in our DMZ we maintain as well as an FTP server and McAfee Agent Handler for outside users to update virus definitions. Never needed an ACL on the DMZ interface until putting the McAfee box in. It has to have open ports to our SQL server on the inside as well as the McAfee ePO server. The McAfee box is the only box that has to have access to the inside network. All servers are accessed by outside users via an ACL on the outside interface (in)... normal stuff.
When I applied the ACL to the DMZ interface (in), the other boxes were not able to get to the internet via the outside interface. Security is set up as:
Outside = 0
DMZ = 50
Inside = 100
Again, normal stuff. Since the outside interface is a lower security interface than the DMZ interface, I didn't think I would have to implicity allow traffic from the DMZ to the outside after applying the ACL. DNS responses to queries were being dropped, and none of the servers could get to the Internet. The only thing that was working was what I had implicitly allowed with the ACL to the inside network from the McAfee box.
What am I missing?