For any inbound traffic (all packets) , i.e. from LOWER security-level to HIGHER security-level here is the order of operation on Cisco firewalls :
- Access-list check
- Any policing/shaping applied for QOS.
- NAT
- Route table lookup
For any outbound traffic (all packets) , i.e. from HIGHER security-level to LOWER security-level here is the order of operation on Cisco firewalls :
- Access-list check
- Any policing/shaping applied for QOS
- Route table lookup
- NAT
Here is order of preference for NAT :
1.NAT0
2.Policy static NAT
3.Policy NAT
4. Static PAT
5. Static NAT
6.Dynamic NAT
In answer to your 2nd question : what will ASA do if session is already existing , will it bypass ACL check or NAT etc..
We need to remember that Cisco ASA (Adaptive Security Appliance) remembers the state of connection until it is finished by parties involved. Also, a NAT translation built by ASA does not timeout until 3 hours (default xlate timeout timer) for a specific flow. Moreover NAT xlate is built PER FLOW and NOT per packet by firewall. After doing all initial checks once, the session is setup & firewall (being adaptive) will not do any more checks for return traffic, because it remembers the connection.
Here is a useful link for you :-
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Feel free to let me know if you have any more questions.
HTH
Vijaya