ASA has DMZ interface and it has ACL deny ip any any.
Then it has few ACL that allow http,https,dns, and other traffic from the DMZ to the outside.
Users are getting IP from the DHCP pool which is configured for interface DMZ.
Need to know how users are getting IP on the PC from the DMZ pool even though DHCP request or broadcast is not allowed under ACL?
Config of ASA is attached.
The ASA acts a bit differently than what you might have been used to with a Cisco router. On a Cisco router having an ACL that denys traffic could mean that you were actually blocking DHCP operation on the router itself for the hosts.
On the ASA however the typical interface ACL wont affect DHCP operation at all. So if you have configured an ACL and DHCP on the ASA interface then the DHCP operation wont be blocked.
On the ASA, the ACLs on the interface filter traffic through the ASA, but not traffic that is for the ASA. When a client sends a DHCP-broadcast, that is traffic that is for the ASA (as you have enabled the DHCP-server), so you don't need an ACE for that.
Don't stop after you've improved your network! Improve the world by lending money to the working poor: