You need to create the rule using explicit DNAT and Firewall rules, rather than the port forward "wizard" page.
Here's an example (for FTP).
Firewall:
rule 7 { action accept description FTP destination { port 21 } protocol tcp state { new enable } }
DNAT:
rule 7 { description FTP destination { port 21 } inbound-interface eth0 inside-address { address 192.168.10.20 port 21 } log disable protocol tcp type destination }
In your case, you would just add a "source" stanza to the firewall rule. You could also do it to the NAT rule, but that's just adding complexity where you don't necessarily need it.