I'm newer to ASA's and I have the following scenario:

External users need RDP access to an internal server, so they need to hit a public-facing IP that gets translated to a private, but I also need to NAT the external users public IP, so that I can ensure traffic gets routed back through the same FW (default route goes out another FW).

I was able to get this working with the following:

obj-Public-Server
   host <public_server_IP>

obj-Private-RDPServer
   host <private_RDPserver_IP>

obj-Private-HTTPServer
   host <private_HTTPserver_IP>

nat (outside,inside) source dynamic any interface destination static obj-Public-Server obj-Private-RDPServer

So this works. If I RDP to the public IP of the server, I'm able to get to the desktop (i.e. tcp/3389) is successful, but my concern is that this configuration looks to me that it will only ever be able to be used for a translation between obj-Public-Server and obj-Private-RDPServer. Is my understanding/assumption correct based on the nat command above?

If so, I tried the following:

object service 3389
   service tcp source eq 3389 destination eq 3389 

object service 81

   service tcp source eq 81 destination eq 81

nat (outside,inside) source dynamic any interface destination static obj-Public-Server obj-Private-RDPServer service 3389 3389

And this does not work. I can no longer RDP into the server. If I remove the "service 3389 3389" portion, it works. 

Essentially, I'd like to have tcp/3389 for obj-Public-Server go to obj-Private-RDPServer and tcp/81 for obj-Public-Server go to obj-Private-HTTPServer all while NATting the external user's IP to inside interface to ensure traffic makes it back to this FW instead of taking the default route out the other FW.

Should I be able to do this on a per-port basis? Is there a way to both NAT external traffic to the inside interface while NATing the internal server to a Public IP for a specific port/service?

Thanks,

Susan