Permit/deny Traffic between Security levels

! Check Security Level
ASA# show nameif
Interface                Name                     Security
GigabitEthernet0         ouside                     0
GigabitEthernet1         inside                   100
GigabitEthernet2         dmz                       50

ASA# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0         ouside                 192.168.0.254   255.255.255.0   manual
GigabitEthernet1         inside                 10.0.0.254      255.255.255.0   manual
GigabitEthernet2         dmz                    20.0.0.254      255.255.255.0   manual

! Check Telnet Access From inside to outside and from inside to dmz.
R1#tel 192.168.0.3
Trying 192.168.0.3 ... Open          !  (Permited)
R3>exit

R1#tel 20.0.0.2
Trying 20.0.0.2 ... Open             !  (Permited)
R2>exit

! ASA Logs
ASA(config)# logging on
%ASA-6-302013: Built outbound TCP connection 105 for ouside:192.168.0.3/23 (192.168.0.3/23) to inside:10.0.0.1/49351 (10.0.0.1/49351)
%ASA-6-302014: Teardown TCP connection 105 for ouside:192.168.0.3/23 to inside:10.0.0.1/49351 duration 0:00:15 bytes 77 TCP FINs
%ASA-6-302013: Built outbound TCP connection 106 for dmz:20.0.0.2/23 (20.0.0.2/23) to inside:10.0.0.1/56955 (10.0.0.1/56955)
%ASA-6-302014: Teardown TCP connection 106 for dmz:20.0.0.2/23 to inside:10.0.0.1/56955 duration 0:00:03 bytes 71 TCP FINs

! If We need deny trafic From Inside to DMZ, we have to configure Access-Lists
ASA(config)# access-list INSIDE_IN deny ip 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0
ASA(config)# access-list INSIDE_IN permit ip any any
ASA(config)# access-group INSIDE_IN in interface inside

! Check Again Telnet Access From inside to outside and from inside to dmz.
R1#tel 192.168.0.3
Trying 192.168.0.3 ... Open          !  (Permited)
R3>exit

R1#tel 20.0.0.2
Trying 20.0.0.2 ...                  !  (Droped)
% Connection refused by remote host

! ASA Logs
%ASA-6-302013: Built outbound TCP connection 107 for ouside:192.168.0.3/23 (192.168.0.3/23) to inside:10.0.0.1/62840 (10.0.0.1/62840)  ! (Permit trafic from inside to outside)
%ASA-6-302014: Teardown TCP connection 107 for ouside:192.168.0.3/23 to inside:10.0.0.1/62840 duration 0:00:05 bytes 71 TCP FINs       ! (Permit trafic from inside to outside)
%ASA-4-106023: Deny tcp src inside:10.0.0.1/34138 dst dmz:20.0.0.2/23 by access-group "INSIDE_IN" [0x71cd432c, 0x0]                    ! (Deny trafic from inside to dmz)

! Check this connection with Packet-tracer command
ASA(config)# packet-tracer input inside icmp 10.0.0.1 8 0 20.0.0.2
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   20.0.0.0        255.255.255.0   dmz
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP  
Config:
access-group INSIDE_IN in interface inside
access-list INSIDE_IN extended deny ip 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0      <---- Access-list INSIDE_IN 
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop                                                                              <---- DROP
Drop-reason: (acl-drop) Flow is denied by configured rule                                 <---- Reason