the problem with articles like that is when they show how to do static PAT, they are doing it for a single port, and doing so within the network object.

The NAT statements I had in place were already similar to what you are proposing...

nat (inside,outside) source static yealink interface service YeaLink-1719-UDP YeaLink-1719-UDP
nat (inside,outside) source static yealink interface service YeaLink-1720-TCP YeaLink-1720-TCP
nat (inside,outside) source static yealink interface service YeaLink-HTTPS YeaLink-HTTPS
nat (inside,outside) source static yealink interface service YeaLink-50000-50499-TCP YeaLink-50000-50499-TCP
nat (inside,outside) source static yealink interface service YeaLink-50000-50499-UDP YeaLink-50000-50499-UDP
nat (inside,outside) source static yealink interface service YeaLink-5060-5061-TCP YeaLink-5060-5061-TCP
nat (inside,outside) source static yealink interface service YeaLink-5060-5061-UDP YeaLink-5060-5061-UDP

The only difference is that your proposed NAT statement uses a service group (which incidentally the NAT command didnt seem to like when I just tried to use it).  Did your FW accept your commands as written?

the error I get in the logs is just 

Mar 12 2017 07:25:41: %ASA-3-710003: TCP access denied by ACL from

This goes away if I go into the network object and add a local NAT statement there (like this:
object network yealink
nat (inside,outside) static interface service tcp https https)  so I am pretty sure its not an ACL issue, just an issue with the FW not recognizing the translation of the port to the internal server so it doesnt think the ACL even applies...

I see what you mean. the docs and examples are a bit hazy when it comes to service groups.

I labbed it on an ASA with 9.6(2) and got the errors with the NAT statement as well.

I think the modification below using separate NAT statements might work. (Make sure none of the ports are in use by any other services - 443 is often used for SSL VPN.) The access-list can use the group still. I also believe we want to define the services as destination type (vs. source).

If a flow appears to fail, then check out what packet-tracer gives you. It will inject a simulated packets and examine the internal flow indicating what NAT, ACL etc is encountered and the eventual disposition of the flow. We sometimes learn from this diagnostic tool that the command syntax is correct but it's necessary to adjust a NAT or ACE order with respect to the other ones to make the ASA behave as desired.

object service VTC_udp_ports_1
 service udp destination range 1719 1720 
object service VTC_udp_ports_2
 service udp destination range 50000 50499
object service VTC_tcp_ports_1
 service tcp destination range 1719 1720 
object service VTC_tcp_ports_2
 service tcp destination range 50000 50499
object service SSL-TLS
 service tcp destination eq https

object-group service VTC_Services
 description Needed from outside inbound to VTC server
 service-object object VTC_udp_ports_1
 service-object object VTC_udp_ports_2
 service-object object VTC_tcp_ports_1
 service-object object VTC_tcp_ports_2
 service-object object SSL-TLS

object network VTC_Server
 host <real IP Address of server>

nat (inside,outside) source static VTC_Server interface service VTC_udp_ports_1 VTC_udp_ports_1
nat (inside,outside) source static VTC_Server interface service VTC_udp_ports_2 VTC_udp_ports_2
nat (inside,outside) source static VTC_Server interface service VTC_tcp_ports_1 VTC_tcp_ports_1
nat (inside,outside) source static VTC_Server interface service VTC_tcp_ports_2 VTC_tcp_ports_2
nat (inside,outside) source static VTC_Server interface service SSL-TLS SSL-TLS

access-list outside_access_in extended permit object-group VTC_Services any object VTC_Server

I believe what you are suggesting is what I have in the firewall right now...the only thing FW int 443 is used for is ASDM and I have moved that to another port...there are some extra permit ACLs but only because I was trying to throw stuff against the wall when it wasn't working....

Keep in mind if I att a 443 PAT config to the TeleConference network object, it works fine.

FIREWALL1(config)# show run access-list
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit tcp any object TeleConference eq https
access-list outside extended permit tcp any object TeleConference eq h323
access-list outside extended permit udp any object TeleConference eq 1719
access-list outside extended permit tcp any object TeleConference range sip 5061
access-list outside extended permit tcp any object TeleConference range 50000 50499
access-list outside extended permit udp any object TeleConference range 50000 50499
access-list outside extended permit udp any object TeleConference range sip 5061
access-list outside extended permit tcp any4 interface outside eq https
access-list outside extended permit tcp any4 host 200.200.200.200 eq https
access-list outside extended permit ip host 5.5.5.5 interface outside
access-list outside extended permit ip host 5.5.5.5 object TeleConference
access-list outside extended permit ip host 5.5.5.5 host 200.200.200.200
access-list outside extended permit object-group TeleConference-SVC any object TeleConference
FIREWALL1(config)# show run nat
nat (inside,any) source static obj-10.10.30.0 obj-10.10.30.0 destination static obj-10.10.0.0 obj-10.10.0.0 no-proxy-arp route-lookup
nat (inside,outside) source static TeleConference interface service TeleConference-1719-UDP TeleConference-1719-UDP
nat (inside,outside) source static TeleConference interface service TeleConference-1720-TCP TeleConference-1720-TCP
nat (inside,outside) source static TeleConference interface service TeleConference-HTTPS TeleConference-HTTPS
nat (inside,outside) source static TeleConference interface service TeleConference-50000-50499-TCP TeleConference-50000-50499-TCP
nat (inside,outside) source static TeleConference interface service TeleConference-50000-50499-UDP TeleConference-50000-50499-UDP
nat (inside,outside) source static TeleConference interface service TeleConference-5060-5061-TCP TeleConference-5060-5061-TCP
nat (inside,outside) source static TeleConference interface service TeleConference-5060-5061-UDP TeleConference-5060-5061-UDP
!
object network obj_any
 nat (inside,outside) dynamic interface
FIREWALL1(config)# show run obj
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-10.10.0.0
 subnet 10.10.0.0 255.255.252.0
object network obj-10.10.30.0
 subnet 10.10.30.0 255.255.255.0
object network TeleConference
 host 10.10.30.120
object service TeleConference-1719-1720
 service tcp destination range 1719 h323
object service TeleConference-5060-5061
 service tcp destination range sip 5061
object service TeleConference-1719-UDP
 service udp destination eq 1719
object service TeleConference-1720-TCP
 service tcp destination eq h323
object service TeleConference-HTTPS
 service tcp destination eq https
object service TeleConference-50000-50499-UDP
 service udp destination range 50000 50499
object service TeleConference-50000-50499-TCP
 service tcp destination range 50000 50499
object service TeleConference-5060-5061-TCP
 service tcp destination range sip 5061
object service TeleConference-5060-5061-UDP
 service udp destination range sip 5061
FIREWALL1(config)# show run object-group
object-group service TeleConferenceSvc tcp
 port-object range 50000 50499
 port-object range 1719 h323
 port-object eq https
 port-object range sip 5061
object-group service TeleConference-SVC
 service-object object TeleConference-1719-UDP
 service-object object TeleConference-1720-TCP
 service-object object TeleConference-HTTPS
 service-object object TeleConference-50000-50499-UDP
 service-object object TeleConference-50000-50499-TCP
 service-object object TeleConference-5060-5061-TCP
 service-object object TeleConference-5060-5061-UDP
FIREWALL1(config)#

FIREWALL1(config)# packet-tracer input outside tcp 5.5.5.5 20202 200.200.200.200 443 det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 200.200.200.200 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x7fffe133eb20, priority=0, domain=nat-per-session, deny=false
 hits=73795, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x7fffe1a59dc0, priority=0, domain=permit, deny=true
 hits=5580, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I think that your service object should be "service tcp source eq https" not destination. With respect to the inside server, the source port is 443, not the destination port. Your packet tracer should have ideally hit an un-nat phase if the NAT rule was correct.

My goal is to expose the inside server to the outside on a number of ports, using port forwarding on the outside interface to map those ports to the internal server.

As such I used a destination port of 443 in the packet tracer to simulate an incoming 443 connection which should be forwarded (by NAT/PAT) to the internal server and allowed by ACL.

I am open to changing the NAT commands to say source instead of destination but I guess I am confused since when a packet comes to the firewall from the internet, it is the destination port which will be 443.  When the internal server sends a syn-ack back to the host on the Internet to build the connection, that would have a source port of 443 and a destination port of whatever but on the initial packet (SYN) that needs to be NAT/PATd properly to the inside server, the destination would be 443.

that appears to have done it,thanks.  I figured it was something being interpreted backwards but didnt know if it was an ACL, NAT statement, object etc :)