On the ASA, an inbound access-list controls traffic coming into an interface, aka ingress traffic.
So if I have an Internet-facing interface (outside) with security 0, and I wanted to control inbound traffic through this interface to internal hosts (on a dmz perhaps), I would apply the access-list as so
access-group TEST in interface outside
but I am looking at a FWSM config that seems to be doing the opposite. It has a vlan interface defined like this
interface Vlan58
description Network Management VLAN
nameif NetworkMgt
security-level 50
ip address 172.100.100.1 255.255.255.0
and an access-list that reads like this
access-list NETWORKMGT-IN remark THESE ACL STATEMENT PERMIT TRAFFIC FROM INSIDE THE SUBNET TO OUTSIDE HOSTS
access-list NETWORKMGT-IN extended permit tcp object-group CITRIX-SERVERS object-group DATABASE-SERVERS eq sqlnet
with the CITRIX-SERVERS as hosts on Vlan58 (172.100.100.0 /24)
and the access-list is applied as so:
access-group NETWORKMGT-IN in interface NetworkMgt
So what do we mean by "in" --this is obviously egress traffic out of the interface, not traffic coming into the interface from the outside. On the FWSM do we control traffic into a vlan by a outbound access-list?
This just seems strange to me. Any advice would help.