Hi ronydc86,
Not quite - the diagram isn't showing VPN decryption occuring at all.
Depending on the type of VPN you're configuring, it will be different as well.
If you configure a route-based VPN, the traffic is decrypted outside the flow chart, and the vpn tunnel is treated just like any other interface - so the First Packet in the diagram would be traffic from the tunnel already decrypted.
If however you are using policy-based VPN then the First Packet will be decrypted around the Policy step, and available for NAT services.
Keep in mind though that the diagram doesn't show the full story either - source NAT takes place before Policy lookup, and destination NAT takes place after, so based on this, I don't think you can source-NAT traffic coming in via a Policy-based VPN.