So I have a Cisco 6509 with an outbound ACL on an interface that faces a Cisco ASA 5580 firewall.  I have converted this Switch ACL into the format that the ASA will recognize and applied it in the inbound direction of the ASA facing the 6509.  The only change I made on the ASA was to put a permit ip any log at the end because I wanted to make sure I'm not missing anything before completely removing the switch ACL.  The switch ACL has a permit tcp any any established a the beginning and a deny ip any any at the end.  There are a bunch of specific rules in between.  With that said, I also omitted the permit tcp any any established because that is already implied on a firewall and there's no way to configure it any way.

Flow of Traffic seems to work fine in this direction, no ACL's in this direction:

[Source of traffic] ----------> ASA5580 -------> 6509 -------> [Destination traffic]

Unexpected return traffic get's caught by the last resort permit any any at the end of the firewall ACL:

[Source of traffic] <---------- ASA5580 (ACL)<------- (ACL)6509 <------- [Destination traffic]

So after observing for a bit, I noticed that I'm actually matching on the permit any at the bottom of the ASA.  This is leading me to believe that the permit tcp any any established on the switch ACL is letting some traffic through but why is the ASA not automatically realizing that this is a stateful connection? 

As a workaround, I've been adding general blanket statements above the permit any that I'm not too fond of.  

So my question is how could I be matching on the permit any any statement on the ASA?   I would expect to see nothing matched especially with the deny any at the bottom of the 6509 ACL facing the firewall.  

Thanks in advance for any help :)

Pete