PIX always looks at translation rules first, then looks at access-lists. Only if there is a translation rule (ie NAT or static) for the packet is it forwarded to the acl to see if the packet is allowed through. Therefore the packet must pass both translation rules and acl rules before it is forwarded.
If you apply your acl inbound on your inside interface the IP in the acl would be your internal IPs. The PIX will check to make sure there is a NAT command that matches those IPs, then it will be passed to your acl. So it will check that a translation rule exists, compare the packet to your acl, then perform NAT.
eg access-list inside_access_internet permit tcp host 10.10.10.10 any eq 80
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface (or global (outside) 1 220.127.116.11 netmask 255.255.255.224)
access-group inside_access_internet in interface inside
If you apply the acl inbound on your external interface, it will check to make sure the inbound connection has a translation rule (either static or a dynamic translation) and then will pass the packet to the acl and then perform NAT.
eg access-list internet_access_int permit tcp any 18.104.22.168 any eq 80
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...