But isnt the problem with Scenario 2 that you are using the public/NAT IP in the access-list statement?
From 8.3 software onwards you use the devices actual local IP address in the NAT statements and not the NAT IP.
Heres one example (using private IP addresses)
PUBLIC IP: 192.168.10.10
PRIVATE IP: 10.10.10.10
object network STATIC-WEBSERVER
nat (inside,outside) static 192.168.10.10 dns
access-list OUTSIDE-IN permit tcp any object STATIC-WEBSERVER eq www
access-list OUTSIDE-IN permit tcp any host 10.10.10.10 eq www
The above scenario would make a Static NAT for a single device on your LAN. The device would be visible to the outside interface as 192.168.10.10.
Even though this is the case, you would still need to use the local IP address (or the object which contains that IP address) in the access-list. If you used the IP adderss 192.168.10.10 in the outside interface access-list, the connection wouldnt go through.