Reading through the Cisco Press SNRS Quick Reference -- current one -- I have a problem with page 20. They're talking about how to configure CBAC with an ACL to block inbound traffic while applying "inspect" rules to the inside interface. They're obviously demonstrating the rule that says "put your rulesets closest to the source of the traffic." But it seems wrong.

They create an ACL that says:

access-list 100 deny ip any any

Then they create this inspect set:

ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp

It breaks down here. They apply the ACL to the untrusted interface this way:

ip access-group 100 out

And the inspect ruleset to the trusted LAN interface:

ip inspect MYFW out

Shouldn't both of these rules end with "in"? That would put them closest to the traffic they're designed to filter. Interestingly, SDM seems to like to put the inspect ruleset on the outside interface inspecting outbound.

I guess I know my way is correct. I'm more wondering if there's any sense whatsoever in doing it according to the book or is this just another huge typo?