I am trying to forward a selection of ports to two internal IP addresses.  The main port is 8080 to internal IP 10.20.16.245.

I've stripped down the router config to as basic as possible for testing this out.

Open port scanner reports that the port is filtered, and I can't bring up the http interface in a browser.

Here is my result for sh ip nat translation:

tcp WANIP:8080 10.20.16.245:8080 OUTSIDEIP:49468 OUTSIDEIP:49468

tcp WANIP:8080 10.20.16.245:8080 OUTSIDEIP:49469 OUTSIDEIP:49469

tcp WANIP:8080 10.20.16.245:8080 OUTSIDEIP:49470 OUTSIDEIP:49470

And here is my running config (minus private areas):

object-group network inside
10.20.16.0 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description UC2B Fiber$ETH-WAN$
ip address WANIP 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
description LAN$ETH-LAN$
ip address 10.20.16.242 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport access vlan 25
switchport mode trunk
no ip address
no mop enabled
!
interface GigabitEthernet0/0/1
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/2
switchport access vlan 5
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/3
switchport access vlan 5
switchport mode trunk
no ip address
!
interface Vlan1
no ip address
!
interface Vlan5
no ip address
!
interface Vlan15
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan25
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
no ip address
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 10.20.16.245 8080 interface GigabitEthernet0/0 8080
ip nat inside source static udp 10.20.16.245 8080 interface GigabitEthernet0/0 8080
ip nat inside source static tcp 10.20.16.246 8081 interface GigabitEthernet0/0 8081
ip nat inside source static tcp 10.20.16.246 5551 interface GigabitEthernet0/0 5551
ip nat inside source static udp 10.20.16.246 8081 interface GigabitEthernet0/0 8081
ip nat inside source static udp 10.20.16.246 5551 interface GigabitEthernet0/0 5551
ip nat inside source static tcp 10.20.16.245 5550 interface GigabitEthernet0/0 5550
ip nat inside source static udp 10.20.16.245 5550 interface GigabitEthernet0/0 5550
ip nat inside source static udp 10.20.16.245 9998 interface GigabitEthernet0/0 9998
ip nat inside source static tcp 10.20.16.245 9998 interface GigabitEthernet0/0 9998
ip nat inside source static tcp 10.20.16.245 5555 interface GigabitEthernet0/0 5555
ip nat inside source static udp 10.20.16.245 5555 interface GigabitEthernet0/0 5555
ip nat inside source static tcp 10.20.16.246 5556 interface GigabitEthernet0/0 5556
ip nat inside source static udp 10.20.16.246 5556 interface GigabitEthernet0/0 5556
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip default-network 10.20.16.0

!
ip access-list extended vlan15
remark vlan15 to outside
remark CCP_ACL Category=2
permit ip 10.10.10.0 0.0.0.255 any
!
ip sla auto discovery
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.20.16.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.20.16.0 0.0.0.255 10.225.103.0 0.0.0.255
access-list 101 remark CCP_ACL Category=3
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.20.16.0 0.0.0.255 10.26.116.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.20.16.0 0.0.0.255 10.225.103.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.20.16.0 0.0.0.255 10.10.209.0 0.0.0.255
access-list 101 permit ip 10.20.16.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.20.16.0 0.0.0.255 10.10.209.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.20.16.0 0.0.0.255 10.26.116.0 0.0.0.255
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.20.16.0 0.0.0.255 10.225.103.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!

end

I've tried adding an ACL and attaching it to the WAN interface but this doesn't seem to affect it.

I must be missing something really simple here.