Hello Garland Moore ,

Not sure you checked this document or not but this is a very good compilation of how the nat works post 8.3 , do take a moment to check this out and I am sure it will address most of your queries:-
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Taking your example:

object network WebServer
host 192.168.1.5
nat (inside,outside) static 1.1.1.1 service tcp 80 80

This nat command is defined under an object and is static in nature.
That means if anyone from outside tries to reach 1.1.1.1:80 , it is translated to 192.168.1.5:80 and vice verssa. What that means is , hypothetically , if 192.168.1.5 iniated traffic from port 80(usually source port number is random) , it would have been translated to 1.1.1.1:80

does the nat command only apply to the return traffic from the web server since the ACL will forward the HTTP traffic to the internal host?
This nat applies to all the traffic initiated from outside destined to 1.1.1.1:80. You dont need another nat to allow traffic from web-server at 192.168.1.5 to be able to send the traffic back to host on internet.

can someone break down the nat command?
The order of interfaces surely matters if you are using dynamic nat.
If you have static nat , then as long as you have correct IPs defined in nat, any order will work. Ideally, when we define an object, like in your case , we use the syntax (inside,outside) similar to what you defined in nat above.

when using "source" in the nat command, that is referring to the source IP correct?
That is correct.

Why do you not need a nat command in the reverse order "nat (outside,inside)" for the translation?
As stated above, once the traffic traverses over ASA, it creates and translation entry in xlate table which stays there until timeout period expires.

This translation entries confirm that we have mapped 192.168.1.5 to 1.1.1.1 on port 80 thus we don't need the other command.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Dinesh has answered your questions quite well, but I will try to answer them slightly different so that you perhaps get a different point of view.

My question is, does the nat command only apply to the return traffic from the web server since the ACL will forward the HTTP traffic to the internal host? 

When the initial packet crosses the ASA from the inside host (192.168.1.5) it goes through a series of security checks (this includes the ACL check, RPF, sequence number, routing, etc.).  If the packet passes these security checks it is placed in the state table.  When the return traffic enters the ASA, the ASA checks the packet against the state table to see if there is an existing connection for the traffic flow.  If there is an entry in the state table, the packet has already passed the security checks and will be forwarded straight to the inside host without doing any further security checks.  If there is no entry in the state table, the ASA will do the security checks.

Also, can someone break down the nat command? i.e. I know the "(inside,outside)" refers to the named interfaces but the order also matters right?

Also using the example you provided.

object network WebServer

host 192.168.1.5
nat (inside,outside) static 1.1.1.1 service tcp 80 80

In NAT after 8.3 you have manual NAT, Auto-NAT, and after-auto NAT. This type of NAT is also called Auto-NAT or section 2 NAT (can also be refered to as object NAT). the format of the command is:

nat (real_int,mapped_int) static mapped_IP service tcp real_port mapped_port

I think this is quite self explanatory but if you require further explanation please let me know

When nesting the NAT statement under the object you are implying that the IP or subnet defined within the object  is the real IP or the IP that is to be translated to something else.  Keep in mind that here you can use both static and dynamic NATs, where Static is bidirectional, meaning that traffic can be sourced from the outside or translated interface and still match the NAT statement. Dynamic NAT is only unidirectional.

when using "source" in the nat command, that is referring to the source IP correct?

Correct.  But you do not have an option to select destination when using auto-NAT so as I mentioned earlier, it is implied that the IP / subnet you specify in the object is the source.  When using twice NAT you can start specifying destination and it is then possible to translate the destination address as well as having the NAT statement only affect a traffic when heading toward that specific destination.

Why do you not need a nat command in the reverse order "nat (outside,inside)" for the translation?

for static translations, NAT is bidrectional (as I mentioned earlier).  It is only in very rare occasions where you have a special requirement that you would need to specify the outside interface as the real_int.  I have never actually come across a situation where I needed to define a NAT statement this way.  It is always best to define the inside network as the source or real_int and the outside network or network with a lower security level as the mapped_int.

--

Please remember to select a correct answer and rate helpful posts