From the Examples section for the 'alias' command in the 6.2 command ref: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid9

<snip>

In the next example, a web server is on the inside at 10.1.1.11 and a static command statement was created for it at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows:

www.example.com. INA 209.165.201.11

The period at the end of the www.example.com. domain name must be included.

The alias command follows:

alias 10.1.1.11 209.165.201.11 255.255.255.255

PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.

The static command statement is as follows:

static (inside,outside) 209.165.201.11 10.1.1.11

The access-list command statement you would expect to use follows:

access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnet

====> I understand everything up to here <====

But with the alias command, use this command:

access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7

<snip>

...I do not understand why the source and destination terms in the ACL are simply swapped. Another thread here says that, for traffic arriving on an interface, ACLs are processed first...so again, why the swap? (I'm assuming the ACL is applied inbound on the outside interface).