...
Opinion: Waste of resources, processing, and mind you logical, absolutely redundant and insecure and exploitable. The access list should be processed first to even figure out if the firewall should process. Once the access list allows, the port translation can continue the process and route accordingly. As of this method, it seems to trigger via NAT (meaning processing the internal IP to outside), and then processing the ACL to allow. Just me? I don't know. I prefer 8.2 and below.
8.2 and Below
Create Server Objects to Translate (Layer 4 Translation)
Code Block object-group service SERVER_Services tcp port-object eq 3389 port-object range 6100 6199 port-object eq ident object-group service NETWORK_SERVICES tcp group-object SERVER_Services group-object SERVER2_Services group-object SERVER3_Services access-list outside_access_in extended permit tcp any host OUTSIDE_IP object-group NETWORK_SERVICES
Create Access List to allow Services to Server (Layer 3 Translation)
Code Block static (inside,outside) tcp interface ident SERVER ident netmask 255.255.255.255 static (inside,outside) tcp interface 3389 SERVER 3389 netmask 255.255.255.255 static (inside,outside) tcp interface 6103 SERVER 6103 netmask 255.255.255.255 static (inside,outside) tcp interface 80 SERVER2 80 netmask 255.255.255.255
...