On the ASA, you need to create 2 zones (for example, trust and untrust) and separate the interface-to-provider-side (in untrust) and the interface-to-server-side (in trust) into them.
On interfaces, set security-level:
!
interface gig0/0
description --to_ISP--
security-level 0
nameif untrust
!
int gig0/1
des --to_server--
security-level 100
nameif trust
!
NAT config:
object network server_local
host 192.168.1.2
object network ISP_peering
host 111.111.111.111
!
object network out_nat
nat (trust,untrust) dynamic ISP_peering #or via static mode
!
So you enable stateful traffic processing and the server will be unavailable from the outside (the traffic flow will have to initiate the server). If there is a need to get the availability of ports (for example http) of the server outside, then just add the ACL:
access-list outside_access extended permit tcp any object server_local eq www
access-group outside_access in interface untrust
Naturally, this is the minimum config and it will not be enough for complete happiness

Works for TCP: in iptables for unwanted connections, instead of writing -j REJECT --reject-with tcp-reset. Thus, it will be almost impossible to distinguish between closed and filtered ports (only by the difference in microseconds, which will not work with jitter of Internet connections).

service iptables panic
Or another similar method.
It will also help a lot: turn off all services, leave only the kernel.
If there are no open ports on the address, then there are no services on it. Is that exactly what you want?