I have a question regarding operation steps on IPS on ASA - while configuring access list for interesting traffic, do I need to use really or NATed addresses. Precisely, NAT and than access list or access list and than NAT?
Keep the extended ACL close to the source and use the REAL IP address. NAT occurs within the ASA, so you are dealing with externals.
If you have 6 or 14 external, public IP addresses from your ISP, you can NAT ... otherwise you are stuck with PAT.
For inbound to outside: use the actual,REAL, public IP addresses you have been assigned by your ISP to permit certain traffic inbound. This could be access-list 100 or a named extended access list, such as "inbound-outside".
For inbound to inside interface: use the internal private IP address scheme [192.168.x.x, 172.16.x.x-172.31.255,10.0.0.0] with appropriate subnet mask to permit traffic from inside to outside for your users. Most folks open the "permit ip any any" here, but I prefer limiting to the specific internal, private address only. This might be access-list 102 or a named access-lsit such as "inbound_inside".
Traffic, which is not "permitted", will be implicitly denied.