Policy is matched prior to NAT, so you should use the pre-NAT object in the policy. For outbound connections using Hide NAT, the source will be the original inside network. For inbound connections using static NAT the destination should be the Internet-routable address prior to the NAT operation. You can put the object representing the post-NAT address(es) in the rule as well if you want but it is not necessary.
Also the NAT "layer" must be kept separate in the Access Control policy and cannot be combined into a single policy layer like the features Firewall, APCL/URLF, & Content Awareness can be if using an R80.10 gateway. I don't think the NAT policy is a "real" policy layer anyway since you can't use Security Zone objects in it.
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com