I am working with a Cisco ASA and putting together my ACLs and NAT. Does NAT occur before the ACL check befoer the NAT? I have the ACL on the incoming interface for all ACLs, so it is before any routing decisions but is it also before NAT?
That is normal for static commands. The first IP must be appropriate for the interface named second, and the second IP must be appropriate for the interface named first. No, I don't know why they choose that order.
I happened to notice a section in the ASA documentation that discusses this point specifically.
I am not familiar with PIX/ASA 7.x operational details. In PIX 6.x, the rule was approximately "the source and destination should reflect what would be seen on the wire at the point of normal application of the ACL". The major ambiguity about this that then needed to be resolved was this: "crypto map match address ACLs are applied for outgoing traffic -after- NAT has taken place, and are applied for incoming traffic -before- NAT has taken place" (and hence the ACLs reflect what would go into the VPN tunnel interface.)
So, an ACL applied as an access-group to an outside interface would use the public IPs in the destination fields because that's what is on the wire; an ACL applied as an access-group to an inside interface would use the internal IPs as the sources because that's what is on the wire for them.