In the PIX, acls can only be applied inbound. If you want outbound filtering you could use the "outbound" command (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#xtocid9 ).
If you apply your acl inbound on your inside interface the IP in the acl would be your internal IPs. The PIX will check to make sure there is a NAT command that matches those IPs, then it will be passed to your acl. So it will check that a translation rule exists, compare the packet to your acl, then perform NAT.
eg access-list inside_access_internet permit tcp host 10.10.10.10 any eq 80
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface (or global (outside) 1 209.165.202.128 netmask 255.255.255.224)
access-group inside_access_internet in interface inside
If you apply the acl inbound on your external interface, it will check to make sure the inbound connection has a translation rule (either static or a dynamic translation) and then will pass the packet to the acl and then perform NAT.
eg access-list internet_access_int permit tcp any 200.200.200.200 any eq 80
static (inside,outside) 200.200.200.200 10.10.10.10 netmask 255.255.255.255 0 0
access-group internet_access_inside in interface outside
A router on the other hand will check inbound acls, perform NAT, then check outbound acls.
Hope it helps.
Steve
