So, according to the above link, if in message ID 302013 or 302015 you see the keyword "outbound" it means that the addresses are flipped in the SYSLOG message. Instead of just putting them in there correctly, they indicate the direction with that keyword. Here is an example:
Jul 6 09:38:51 184.108.40.206 %ASA-6-302013: Built outbound TCP connection 1465712 for dev:10.1.4.84/25 (10.1.4.84/25) to inside:10.128.85.25/37281 (10.128.85.25/37281)
The above message is me initiating a TELNET session from my laptop (10.128.85.25) to the server 10.1.4.84 on TCP port 25. However, since my machine is located on the "inside" interface, and the target machine is located on the "dev" interface the ASA returns the message backwards and indicates that with the keyword "outside". It's very counterintuitive, since the "to" in between the two addresses would in English indicate direction!
So my question is this, how does the ASA determine what is inside and what is outside? Since in some scenarios you may have no interfaces named "inside" or "outside", I assume it's using interface security level? I can find no further explanations of how this works, does anyone know?
Thanks in advance