yes of course !

ciscoasa#show run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
 nameif inside
 security-level 0
 ip address 10.0.0.2 255.255.255.252
!
interface GigabitEthernet1/2
 nameif dmz
 security-level 50
 ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet1/3
 nameif DATA
 security-level 100
 ip address 172.16.20.1 255.255.255.0
!
interface GigabitEthernet1/4
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/5
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/6
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/7
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/8
 no nameif
 no security-level
 no ip address
 shutdown
!
interface Management1/1
 management-only
 no nameif
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
!
!
access-list int extended permit tcp 172.16.20.0 255.255.255.0 host 192.168.20.254 eq domain
access-list int extended permit tcp 172.16.20.0 255.255.255.0 host 192.168.20.2 eq www
access-list int extended permit udp 172.16.20.0 255.255.255.0 host 192.168.20.254 eq domain
access-list int extended permit udp 172.16.20.0 255.255.255.0 any eq domain
access-list int extended permit tcp 172.16.20.0 255.255.255.0 any eq domain
access-list int extended permit tcp host 192.168.20.2 172.16.20.0 255.255.255.0 eq www
access-list int extended permit tcp any any eq www
access-list int extended permit udp host 192.168.20.254 172.16.20.0 255.255.255.0 gt 1023
access-list int extended permit tcp host 192.168.20.254 172.16.20.0 255.255.255.0 gt 1023
access-list dmz extended permit tcp host 192.168.20.254 eq domain 172.16.20.0 255.255.255.0 eq domain
!
!
access-group int out interface DATA
access-group int in interface DATA
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd dns 192.168.20.254
!
dhcpd address 172.16.20.10-172.16.20.41 DATA
dhcpd enable DATA
!
!
!
!
!
router ospf 1
 log-adjacency-changes
 network 192.168.20.0 255.255.255.0 area 0
 network 172.16.0.0 255.255.0.0 area 0
 network 10.0.0.0 255.255.255.252 area 0
!
router rip
 version 2
!

So I add this:

access-list int extended permit udp host 192.168.20.254 172.16.20.0 255.255.255.0 gt 1023
access-list int extended permit tcp host 192.168.20.254 172.16.20.0 255.255.255.0 gt 1023

And It works but I don't understand why it doesn't  make it automatically ...

Hi there,

Since you have the ACL applied in the OUTbound direction on the DATA interface, you will require those ACEs to explicitly permit the return traffic.

Personally I would remove the ACL in the OUT direction and just stick to INbound ACLs on all your interfaces.

!
no access-group int out interface DATA
!

cheers,

Seb.

without the acl gt 1023 it still not works :'(

So you have completely removed the OUTbound ACL from the DATA interface? This just leaves the same ACL applied INbound on the DATA interface. The two ACEs you mention have a source host of 192.168.20.254 which means you would never get a flow which matches these, ie the host 192.168.20.254 sending traffic INbound to the DATA interface from the 172.16.20.0/24 subnet.

If you need those two ACEs present on an INbound ACL then there is something wrong with Packet Tracer!!

I concur with Seb.

You don't need the ACL applied in both directions. If you apply it inbound, the traffic will match your first statement. For reference DNS recursion uses UDP (53), TCP is used for zone transfers.

Can you elaborate on what does not work?

Martin