You could do something like the following:
ip access-list extended web-to-dmzServer-acl
permit tcp any host 192.168.2.3 80
permit tcp any host 192.168.2.3 443
class-map type inspect match-any web-to-dmzServer-cmap
match access-group web-to-dmzServer-acl
policy-map type inspect web-to-dmzServer-pmap
class type inspect web-to-dmzServer-cmap
inspect
zone security dmz
description DMZ services
zone security web
description Internet
zone-pair security web-to-dmz-pair source web destination dmz
interface Gig0/0/0
description Internet
zone-member security web
interface Gig0/0/1
description DMZ
zone-member security dmz
Verification:
show policy-map type inspect zone web
show policy-map type inspect zone dmz
show policy-map type inspect zone-pair web-to-dmz-pair
Keep in mind that inspect allows return traffic of the same flow. However if you require the DMZ servers to initiate traffic to other servers, PCs, or the internet, then this needs to be taken into account and added into the configuration. The configuration I have provided only allows for HTTP and HTTPS towards the DMZ server.
--
Please remember to select a correct answer and rate helpful posts