From ingress to egress:
stateless IOS IPS -> IPSec decryption -> auth proxy -> input ACL -> virtual fragment inspection -> NAT before routing -> routeing -> NAT after routing -> stateful IOS IPS -> outbound ACL -> ISO FW -> IPSec encryption
HTH.
Alex Yeung