I think I found what I need but any other resources are welcome.
I typically implement this with four blocks of lines in the Firewall rules:
Allow DMZ-system to any needed destination on other VLANs
Deny DMZ-Network to all RFC1918, this is the LAN and all other DMZs
Allow needed traffic to "any" which is the internet in this case
Deny DMZ-network to any
Yes, this is much easier with zones like on firepower. But it works good. And always remember that the Firewall-Rules do not control traffic to VPN-destinations. This is done in the Site-to-Site-VPN section.
We use private ip addresses in the DMZ. Is it possible to NAT (1 to many) between the DMZ and LAN using private ip addresses?
Maybe I'm missing something but from what I see so far the NAT rules either have to include public ip address or internet connection.
I would prefer the connection to initiate traffic from one side only. Besides that you could easily integrate with the rest of the network without having to worry about ip address overlaps.
Allowing only to be initiated from one side is purely done with the ACL. No need for NAT. And if there is IP overlap inside of the network, something is severely wrong.
? severely wrong? You could have a need to assign an already used subnet for an external site2site VPN for example. I can think of several instances where this is helpful. in smaller networks you probably will not have to deal with this. cisco is more flexible when it comes to these type of configurations.
I was referring to overlapping subnets *inside* your own controlled infrastructure (which is DMZ to internal communication). For Extranet S2S, yes, that is a different story, but with that the MX falls behind anyhow.
The firewall rules are stateful. You only have to allow the initial packet for a traffic flow and the return traffic is allowed automatically. My way to make sure that not too much traffic is allowed is described at the beginning of this discussion.