I am building a DMZ in my home lab with the Cisco ASA 5505. In the case of a simple inside-outside setting, set the security level to inside: 100, outside: 0 and allow traffic from outside by FW and NAT.

However, inclusion of the DMZ makes it impossible to control with just the security level. Generally set the security level as DMZ: 50. As a result, the following access control is performed.

O inside -> outside
O inside -> dmz
X dmz -> inside
O dmz -> outside
X outside -> inside
X outside -> dmz

Overwritten if ACL is applied

For the communication of x, it is necessary to be able to communicate according to requirements. For example, Internet publishing server. Communication from outside can be realized with ACL and NAT. But the problem is communication from dmz to inside.

Basically, communication with security level low -> high (dmz -> inside) will be permitted by ACL, but communication to dmz -> outside must also be considered at that time. Expecting the operation at the security level, it tends to set only necessary communication to inside, as shown below.

access-list dmz extended permit ip <dmz> <inside>
access-group dmz_in in interface dmz

However, if this ACL is applied, communications from dmz to outside (the Internet) will be impossible. In other words, the ACL overwrites the security level setting.

Therefore, it is necessary to permit inside of specific hosts, deny others, and allow any (outside) permission on inside as below. (Depending on OS version etc. how to write ACL)

access-list dmz extended permit <protocol> <dmz> <inside_host>
access-list dmz extended deny ip <dmz> <inside>
access-list dmz extended permit ip <dmz> any
access-group dmz_in in interface dmz

Design Notes

For design points, how to deal with errors, see here

Conclusion - Security level setting when building DMZ with ASA

When building a DMZ with the home lab ASA 5505, it is impossible to control at the security level, and all communication from the DMZ needs to be controlled with ACL.