Take a look at the 2 NAT rules on my Cisco ASA 5505. They exist to allow port 4430 and port 8001 traffic to travel from
the the outside interface on the firewall to
the server (10.20.2.3). They both work perfectly, and yet they both look completely backwards
Note the inside"interface specified in the top left. It's the outside interface on the firewall that traffic is hitting and these NAT rules exist to handle.
Similarly, the Original/Source values and the Translated/Interface values seem ass-backwards, yet they work.