Sorry about that,  Too quick editing screencaps,  New ones below, as well as the relevant lines from show run

object service RDP
service tcp destination eq 3389
description RDP
object network RDP_HOST
host 192.168.50.50
access-list OUTSIDE_access_in extended permit object RDP any object RDP_HOST

object network RDP_HOST
nat (INSIDE,OUTSIDE) static interface service tcp 3389 3389
!

At least the config looks fine. What is your packet-tracer command? Did you also test real traffic? Perhaps it is working but you only did a mistake in packet-tracer?

The correct packet-tracer command would be:

packet-tracer input OUTSIDE tcp 1.2.3.4 1234 IP-OF-YOUR-OUTSIDE-INTERFACE 3389

Hi,  thanks for that.  I thought I was doing something stupid.  I ran the packet tracer through ASDM GUI in the example before.  However the example below seems to be different

Result of the command: "packet-tracer input OUTSIDE tcp 192.168.50.50 3389 OUTSIDEINTERFACEIP 3389"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop OUTSIDEINTERFACEIP using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Again, your packet-tracer command is wrong. The source MUST be an IP that is located (based on the routing-table) on the outside interface. Because of that I always use 1.2.3.4 as the source.

Apologies, and thanks again,

Result of the command: "packet-tracer input OUTSIDE tcp 1.2.3.4 1234 OUTSIDEIP 3389"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Again, something goes wrong here as the ASA thinks that the destination is also outside (should be the interface where the host 192.168.50.50 is located) and it does not match a NAT rule. Double-check the OUTSIDEIP in the packet-tracer.

Yes, it has to be the IP of the outside interface of the ASA as that is the IP for which the translation is configured. But the output of the packet-tracer says it is not ...

Hi,  Thanks

In that case there must be another misconfiguration issue somewhere, as the command was definitely run using the public IP address of the ASA.  I have run it again and got the same output, to check.

Result of the command: "packet-tracer input OUTSIDE tcp 1.2.3.4 1234 x.x.x.x 3389"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Is your NAT-command still in the config or have you removed it accidentally?

It is still there and I can see the XLATE in the table

Result of the command: "show xlate | i 192.168.50.50"

TCP PAT from any:192.168.50.50 3389-3389 to OUTSIDE:217.39.144.61 3389-3389