Here is an example from one of my customer's 2921 router. Can't to the same on a 4331. 
ip port-map user-http-8443 port tcp 8443 description allow http(s) on 8443
ip port-map user-lync-online port udp 3478 description Lync Online outbound audio and video ses
ip port-map user-http-8081 port tcp 8081 description allow http(s) on 8081
ip port-map user-lync-mobile port tcp 5223 description Lync mobile client push notifications
ip port-map user-http-8080 port tcp 8080 description allow http(s) on 8080
ip port-map user-Media-Port-Ofc port tcp 9001 description Office video recorder media port
ip port-map http port tcp 8057 list 4 description dbch.dbsquared.biz

(config)#ip port-map  ?

ip nat service ........

if I am right you use port-map for static NAT ??
can you try above  command 

I don't think ip nat service will get the job done.
Following is example of how port-map is used on a working 2921 router.

ip port-map user-Media-Port-Ofc port tcp 9001 description Office video recorder media port
class-map type inspect match-all Office-Cameras.class
  match protocol user-Media-Port-Ofc
  match access-group name Cameras-ACL
ip access-list extended Cameras-ACL
  permit tcp any object-group Cameras
policy-map type inspect Internet.in.policy
  class type inspect Office-Cameras.class
    inspect

This link Understand the Zone-Based Policy Firewall Design - Cisco has an example of configuring PAM with a user-defined entry for X Windows.

Apparently, this feature has been dropped in IOS XE Software, Version 17.03.02 or there is a software bug.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_cbac_fw/configuration/15-mt/sec-data-cbac-fw-15-mt-book/config-cbac-port-map.html#GUID-22AE877B-4F53-45E0-807A-3E8A457FFC10

https://cfnng.cisco.com/browse/routing/features

check the feature platform and license.