Hey, I know this is an old thread but its the top google result. The problem with the written ACL solution is that the implicit deny at the end of the ACL will break the built-in permission for traffic to move from higher to lower level security zone...