I have the following ACL. For the most part everything is working in the ACL as it should be. The problem is that even though 192.168.203.0 is permitted, I still get denies in the logs. The logs will be below the ACL. We switched from TCP to IP in the ACL and now we are no longer getting the denies but I don't understand why it was getting denied.

ip access-list extended veneer-203

permit tcp host 192.168.244.20 10.2.203.0 0.0.0.255 eq 80
permit tcp host 192.168.244.25 10.2.203.0 0.0.0.255 eq 80
permit tcp host 192.168.244.30 10.2.203.0 0.0.0.255 eq 80

permit tcp 192.168.203.0 0.0.0.255 10.2.203.0 0.0.0.255 eq 80 established
permit tcp 192.168.203.0 0.0.0.255 10.2.203.0 0.0.0.255 eq 443 established
permit tcp 192.168.203.0 0.0.0.255 10.2.203.0 0.0.0.255 eq 554 established

deny ip any any log

Jul 10 14:30:14 PDT: %SEC-6-IPACCESSLOGP: list veneer-203 denied tcp 192.168.203.45(64656) -> 10.2.203.52(80), 1 packet
Jul 10 14:30:24 PDT: %SEC-6-IPACCESSLOGP: list veneer-203 denied tcp 192.168.203.45(64671) -> 10.2.203.52(443), 1 packet
Jul 10 14:30:34 PDT: %SEC-6-IPACCESSLOGP: list veneer-203 denied tcp 192.168.203.45(64709) -> 10.2.203.51(443), 1 packet
Jul 10 14:31:04 PDT: %SEC-6-IPACCESSLOGP: list veneer-203 denied tcp 192.168.203.45(64729) -> 10.2.203.52(80), 1 packet