I am building a DMZ in my home lab with the Cisco ASA 5505. In the case of a simple inside-outside setting, set the security level to inside: 100, outside: 0 and allow traffic from outside by FW and NAT.
Overwritten if ACL is applied
For the communication of x, it is necessary to be able to communicate according to requirements. For example, Internet publishing server. Communication from outside can be realized with ACL and NAT. But the problem is communication from dmz to inside.
Basically, communication with security level low -> high (dmz -> inside) will be permitted by ACL, but communication to dmz -> outside must also be considered at that time. Expecting the operation at the security level, it tends to set only necessary communication to inside, as shown below.
access-list dmz extended permit ip <dmz> <inside> access-group dmz_in in interface dmz
Therefore, it is necessary to permit inside of specific hosts, deny others, and allow any (outside) permission on inside as below. (Depending on OS version etc. how to write ACL)
access-list dmz extended permit <protocol> <dmz> <inside_host> access-list dmz extended deny ip <dmz> <inside> access-list dmz extended permit ip <dmz> any access-group dmz_in in interface dmz
For design points, how to deal with errors, see here