Pretty straight forward (but as you said... not documented):
Setup an ACL (the one below will allow ssh, tcp/80 and everything else, as an example):
ip access-list session inbound_access
any any svc-dhcp permit
any host <external IP> svc-ssh dst-nat ip <internal IP>
any host <external IP> tcp 80 dst-nat ip <internal IP>
any host <external IP> any dst-nat ip <internal IP>
Apply that ACL to your inbound port on the controller:
interface gigabit 1/0
ip access-group inbound_access session
Make sure your inside port is NATing:
interface gigabit 1/1
ip nat inside
That should be it.