MHM Cisco World, you respond to all of my posts and you are often wrong. Respectfully, if you are not confident in the solution, please stop replying.

The NAT cannot be inside->outside because this server is to be accessible from the internet - I am not trying to give internet egress connectivity to the server. 

No I respect your opinion' sometime hit sometime not hit but here we share idea' you can take it or not it depends on your view of solution.

Anyway if you are familiar with NAT you must know that static NAT is bidirectional and it can use for client try to access server inside. 

Sure you need to use l4 port

This link for more detail about NAT to access server' maybe you need to refresh your info 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

*****Also dont forget to add acl allow access to server from outside to it private IP.

MHM

Yes I do know that static is bidirectional which is why your suggestion to change it from outside -> inside to inside->outside does not make sense. Anyway just for a test I tried this and same result the nat is not being hit:

Under which category this NAT add 

Auto NAT or before or after ?

MHM

It is a before NAT 

Do packet-tracer from outside to inside and check where the packet drop

Two possiblity either the traffic can not route to server or it hit some other NAT (NAT order issue)

MHM

It's not hitting any NAT rules so it thinks to just route it back externally.

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop [outside ip] using egress ifc identity(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

It can fake result if you dont use packet-tracer correctly'

Can I see the packet tracer ypu use

MHM

Outside interface

Random source IP, Destination is my outside interface IP

TCP21 source and dest

The source is any port and destiantion is tcp21 in end you want to access ftp server inside which use that port

Yes that is obvious. Setting the source port shouldn't make any difference and I can't select any in a packet tracer so I just copied the dsetination.

Ok meaning use any use port 12345 (random ports)

For packet-tracer use

Inside from server (real IP 10.x.x.x) to outside any random ip source port tcp21 and destiantion port 12345

Share packet tracer 

MHM