Output from packet-tracer from my  actiontec public Ip to websrv behind ASA

packet-tracer input outside tcp 47.1.2.3  www 172.17.1.1 www detailed

Phase: 8 
Type: NAT 
Subtype: rpf-check
Result: DROP 
Config: 
nat (inside,outside) source static any interface service HTTP HTTP
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f9219cb24a0, priority=6, domain=nat-reverse, deny=false
hits=23, user_data=0x7f9218701660, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside

Result: 
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

Please post some of your configuration:

1. security level of your outside interface and inside interface
2. show route 47.1.2.3
3. show route 172.17.1.1
4. show run access-group
5. show run access-list
6. show xlate

** remember to hide /transform any sensitive data (e.g. public IP address)

1). security level of your outside interface and inside interface
securebox(config)# show nameif
Interface Name Security
GigabitEthernet1/1 outside 0
GigabitEthernet1/2 inside 100

2). show route 47.1.2.3
securebox(config)# show route 47.1.2.3

% Network not in table

***Do have a default route that allows me to ping google.com from host 172.17.1.1
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

3.) show route 172.17.1.1
securebox(config)# show route 172.17.1.1

Routing entry for 172.17.1.0 255.255.255.0
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via inside
Route metric is 0, traffic share count is 1

4.) show run access-group
securebox(config)# show run access-group
access-group test2 in interface outside
access-group test2 in interface inside

5.) show run access-list
securebox(config)# show access-list
access-list test2 extended permit tcp any any eq www

6.) show xlate
securebox(config)# show xlate
20 in use, 238 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from inside:0.0.0.0/0 80-80 to outside:192.168.1.140 80-80
flags srT idle 0:16:44 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 0:16:44 timeout 0:00:00
TCP PAT from inside:172.17.1.1 443-443 to outside:192.168.1.140 443-443
flags srT idle 34:48:20 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 34:48:20 timeout 0:00:00
NAT from outside:0.0.0.0/0 to pc:0.0.0.0/0
flags sIT idle 84:54:24 timeout 0:00:00
NAT from outside:0.0.0.0/0 to pc:0.0.0.0/0
flags sIT idle 34:33:00 timeout 0:00:00
NAT from inside:172.17.1.1 to outside:192.168.1.140
flags sT idle 0:20:09 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 24:34:21 timeout 0:00:00
TCP PAT from outside:192.168.1.140 80-80 to inside:172.17.1.1 80-80
flags srT idle 24:31:14 timeout 0:00:00
TCP PAT from inside:0.0.0.0/0 0 to outside:0.0.0.0/0 0
flags srIT idle 24:31:14 timeout 0:00:00

TCP PAT from pc:10.10.0.12/59706 to outside:192.168.1.140/59706 flags ri idle 0:00:05 timeout 0:00:30
UDP PAT from pc:10.10.0.12/51746 to outside:192.168.1.140/51746 flags ri idle 0:00:44 timeout 0:00:30
UDP PAT from pc:10.10.0.12/37834 to outside:192.168.1.140/37834 flags ri idle 0:01:48 timeout 0:00:30
UDP PAT from pc:10.10.0.12/48465 to outside:192.168.1.140/48465 flags ri idle 0:00:19 timeout 0:00:30
TCP PAT from pc:10.10.0.12/56152 to outside:192.168.1.140/56152 flags ri idle 0:47:20 timeout 0:00:30
TCP PAT from pc:10.10.0.9/37595 to outside:192.168.1.140/37595 flags ri idle 0:08:00 timeout 0:00:30
TCP PAT from pc:10.10.0.9/49787 to outside:192.168.1.140/49787 flags ri idle 0:08:02 timeout 0:00:30
TCP PAT from pc:10.10.0.9/43126 to outside:192.168.1.140/43126 flags ri idle 0:13:05 timeout 0:00:30
TCP PAT from pc:10.10.0.9/42952 to outside:192.168.1.140/42952 flags ri idle 0:13:17 timeout 0:00:30
TCP PAT from pc:10.10.0.9/38518 to outside:192.168.1.140/38518 flags ri idle 11:43:01 timeout 0:

***Have a switch and WAP that is used for internet access
***Everything else works, cant access websrv externally

Added temporary ACL to allow all, packet trace shows ACL drop but Phase 8: NAT is where the drop occurs.

show access-list

access-list test2; 1 elements; name hash: 0x2bb0eb81
access-list test2 line 1 extended permit tcp any any eq www (hitcnt=3) 0xb4c001f6

show run access-group

securebox(config)# show run access-group
access-group test2 in interface outside

securebox(config)# packet input outside tcp 47.1.2.3 www 172.17.1.1 www detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9219bc2830, priority=13, domain=capture, deny=false
hits=174281, user_data=0x7f921a68cbf0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9219b43790, priority=1, domain=permit, deny=false
hits=1458537, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.17.1.1 using egress ifc inside

Phase: 4
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.1 using egress ifc outside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group test2 in interface outside
access-list test2 extended permit tcp any any eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f921a5ddeb0, priority=13, domain=permit, deny=false
hits=2, user_data=0x7f92205d31c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f92193d9dd0, priority=0, domain=nat-per-session, deny=false
hits=31693, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9219b4b360, priority=0, domain=inspect-ip-options, deny=true
hits=31800, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static any interface service HTTP HTTP
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f9219cb24a0, priority=6, domain=nat-reverse, deny=false
hits=14, user_data=0x7f9218701660, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

securebox(config)# packet input outside tcp 47.1.2.3 www 172.17.1.254 www detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9219bc2830, priority=13, domain=capture, deny=false
hits=187555, user_data=0x7f921a68cbf0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9219b43790, priority=1, domain=permit, deny=false
hits=1464116, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

***I do have a default route through outside

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

ngkin2010 thanks for your help, i will try solutions from the first post.

I guess trying to double nat, once at verzion actiontec, and once at the ASA doesn't work.

I do understand putting public IP on outside interface is the recommended way.

Is double natting this way not possible with an ASA?