Hi, i think you re looking for something like this:
LAN
ip access-list ext LAN-2-DMZ-INET-IN
permit tcp any any eq www (allow traffic from lan to dmz and inet for www)
ip access-list ext LAN-2-DMZ-INET-OUT
permit ip any 192.168.0.0 0.0.0.255 (allow only traffic back for 192.168.0.0 but no other traffic from dmz or inet)
interface Fa0/0 (apply acl to interface)
ip acces-group LAN-2-DMZ-INET-IN in
ip acces-group LAN-2-DMZ-INET-OUT out
DMZ
ip access-list ext DMZ-2-INET-IN
deny ip any 192.168.0.0 0.0.0.255 (deny dmz traffic to lan)
permit ip any any (allow any other traffic)
ip access-list ext DMZ-2-INET-OUT
permit ip any any (allow any traffic to dmz)
apply to interface
interface Fa0/1
ip access-group DMZ-2-INET-IN in
ip access-group DMZ-2-INET-OUT out
But i see 2 issues:
* I dont understand the overlap 192.168.0.0/24 and 192.168.0.0/27 ? better make it 192.168.1.0/27 or something
** i dont know where the nat overload is performed in the network so had to improvise