i can use acl for matching i just dont know what to match

if i have an acl with the target ip it works but if i have a source it doesnt 

permit ip host 10.0.0.11 any -- wont match traffic from 10.0.0.11

permit ip any host 1.2.3.4 -- will match traffic to 1.2.3.4 from any device its just no use to me

i suspect that the nat is done and then the acl so my internal ip is gone and replaced by the external

and so i cant match it any longer or something along the lines

i will stay for marking on the switch its seams more logic to me and better manageable