Do you mean that you want to allow the DMZ access to less secure networks and block all other traffic?
The main question in this case would be if you are using ACL in the DMZ interface at the moment?
If you are NOT using ACL in the DMZ interface then the "security-level" value should be enough to to achieve this.
Since you ask about this then I would presume that you already have ACL configured on the interface. If so then this means you will have to configure the ACL in the way that your specifications are met. This is because the "security-level" doesnt really have any meaning after an ACL has been attached to the interface.
If you were to build an ACL to mimic the operation of "security-level" value you could follow the following sample configuration.
object network DMZ-BLOCKED
description Networks blocked for the DMZ
access-list DMZ-IN remark Deny traffic to more secure networks
access-list DMZ-IN deny ip any object-group DMZ-BLOCKED
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN permit ip any
access-group DMZ-IN in interface dmz
The above example would essentially first group all the networks to which the DMZ is NOT to have access inside an "object-group". This "object-group" would then be used in the DMZ interface ACL as the destination to block traffic to those networks. After this all other traffic would be allowed which would essentially allow outbound Internet connections or connections to LAN networks that WERE NOT specified in the "object-group" we created.
If for some reason you need to allow traffic to more secure networks then you would have to add "permit" statements for those at the TOP of the created ACL (so they dont get blocked by the "deny" statement)
Wihtout knowing the exact setup its impossible for me to give any actual specific configuration. More than I have already mentioned above. The above configuration example blocks traffic to more secure networks (that you define in the object-group) and then allows all other traffic that would essentially mean all the less secure networks.
If you want the ASA to do this automatically then the only way would be to purely use "security-level" configurations on the DMZ interface without any interface ACL.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :