It seems to me that an ACL wipes out the need for the security levels. Take a configuration of outside,dmz,inside interfaces. In the dmz there is a mail server that needs to talk smtp to all servers on the internet. So you create an acl allowing it to do so and apply it inbound to the dmz interface. Now, say you create a static for an inside server into the dmz interface because you want the dmz server to be able to ftp to the inside server. Doesn't the acl you applied to the dmz interface allow you to try and hit the ftp inside server on port 25? Is it normal to have to follow these "allow to any" ACEs with denys to all internal servers that have translations into the dmz?
By default on the pix traffic will flow from a higher security interface to a lower without an ACL (note the FWSM on a 6500 behaves differently). So you shouldn't need an access-list to allow your mail server to talk to the Internet just a static translation presenting it to the outside.
However if you then need to have the mail server ftp to a server inside then you do need an acl.
As soon as you apply that acl then you need a permit statement in there for your mail server to get to the Internet. And as you can't list all of the possible mail servers then you need a permit mail-server to any.
So yes you would need to deny the mail server to the rest of your internal network. Hopefully your internal network is easily summarised ?
From a security point of view you probably wouldn't want to allow your mail-server to ftp into your internal network though. Generally speaking if you can no connections should be intiated from the DMZ to the inside but this is easier said than done :-)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...