Consider this statement from a PIX white paper found online:
A packet is entering an interface and PIX evaluates the security level for the source and destination interfaces. A low-to-high is allowed only if there is an access-list/conduit that allows the connection and a high-to-low is allowed by default unless a specific access-list/outbound denies it.
This was also my understanding. Now the problem... I have inside (sec100), outside (sec0) and two DMZ interfaces, but we're only working with one DMZ (sec10) today. If I don't apply an ACL to the dmz1 interface, traffic is allowed to outside and denied to inside, this makes sense.
However, as soon as I apply an ACL to the dmz1 interface that allows one host on the dmz to access another host on the inside, I lose flow between dmz1 and outside unless I specifically allow it. This makes less sense to me if the statement quoted above is correct.
What am I missing?
PL