You can create ACLs that specify where to NAT addresses to and from. An ACL that is applied to an outside interface (inbound from the Internet from the controllers perspective) that has src-nat statements will work even if the IP address is not assigned to an interface.
For example, you can have 1.1.1.1 assigned to an interface and have an ACL assigned to your inbound interface that says:
any host 1.1.1.2 any src-nat ip 10.0.0.2
Then, any packets that show up on the outside interface destined for 1.1.1.2 will be source NAT'd and sent inside the network to 10.0.0.2.
The first "any" is the source and the second "any" is the port/protocol/service.
You would also have to make sure the inside VLAN that is used to route to/from 10.0.0.2 is set to "ip nat inside".
