@AntonAU I'm the OP, and I was able to get something that worked for me.  Using Switch ACLs, I did the following:

1. Create the 1 to 1 NAT rule.  In my case, it was one of my public IP Aliases to an internal address of 192.168.x.x.

2. I then created Switch ACls.  In my case, I wanted my internal LAN to be able to VNC to the private address of the 1 to 1 nat.

  a. I created a rule allowing all 10.x.x.x addresses access to the internal address of the 1 to 1 nat. (192.168.x.x/32) on port 5900.  

  b. second rule was to deny VNC ports for source IP Group_Any all protocols denied to 192.168.x.x/32 (internal address) on port 5900.  This blocks VNC.

So, ultimately, I can block whatever ports I want (including all but 443 if that is what I want), and then only the open ports will be allowed to pass through to the internal IP address.

I'm somewhat rebuilding my process from looking at the existing rules, but I am pretty sure this is the jist of what I have.