Generally, the order of operations for incoming and outgoing packets can be seen in this document:
Having said that, when we say that the access list is always checked before NAT, it means that source and destination addresses of the packet will be examined and matched BEFORE the translation occurs.
So let’s say you have a web server on your DMZ with an IP address of 10.10.10.10 and a NAT translation rule that translates this IP address to an external address of 126.96.36.199. A host with an IP address of 188.8.131.52 on the internet sends a packet to your web server. The packet will have a source address of 184.108.40.206 and a destination address of 220.127.116.11.
Now which particular IP addresses you will be filtering depend on your access list, which interface it is applied on and in which direction. For example:
If you want to filter this traffic with an INCOMING access list on the OUTSIDE interface, you will have to filter based on public source and destination IP addresses, because the access list will act on the packet BEFORE any addresses are translated.
If you want to filter this traffic with an OUTGOING access list on the DMZ interface, you will have to filter based on public source addresses and private destination addresses. This is because at this point, the NAT translation has already taken place on the incoming interface, and the destination IP address in the packet will be the translated address of 10.10.10.10. Note that for such incoming traffic, the source address of 18.104.22.168 is not translated. Only the destination address, that of the web server is.
I hope this has been helpful!