I'm working on setting up a new ASA 5550, and have run into a question that I hope is easily answered.
I currently have 4 interfaces, SL100 Inside, SL80 DMZ1, SL50 DMZ2, and SL0 Outside. I was under the impression that each interface, depending on security level would pass traffic from higher levels to lower, but not allow traffic being generated from SL80 to SL100.
What I would like to accomplish is that any hosts on my SL100 Inside interface can access the "internet" which is connected to my outside interface of the ASA, which was very simple, just a permit internal subnets eq www / https / etc...
Now, my DMZ subnets need to access a few servers on my internal interface, and need outbound access to the world as well. Thinking that all traffic from my lower SL interfaces on the ASA would be denied, I entered a permit IP / DMZ subnet ------> any. This worked great for giving my DMZ hosts access to the internet, but it also permit traffic from the DMZ to hosts on my Inside interface as well.
My initial thoughts are to permit www / https to the DMZ subnets to any, and to use deny statements at my Inside interface ACL's from the DMZ IP's that I don't want these systems touching, but I'm just looking some opinions on the "right" way to accomplish this.