IP Inspection Applied In the Wrong Direction
The direction of inspection rule is a point of confusion for many who first configure CBAC because they think of a firewall as filtering traffic coming from an outside network to an inside network. So, the assumption is that the inspection should be applied to traffic coming from the untrusted side. The problem with this is that CBAC works in terms of conversations, not packets. So, if the conversations are initiated from inside (most of the time, this is the case), inspection must be applied to the outbound direction. Here is a useful rule of thumb: Inspection is applied in the direction of conversation initiation and the extended ACL is applied on the opposite direction.