Can you post the output of ‘/ip firewall filter export’?
I assume you have firewall rules in your forward chain. If you have a reject / drop rule at the end of your forward chain, you’ll have to add a rule explicitly allowing external traffic to access the internal, netmap host. Otherwise traffic to .203 will match the reject / drop rule and not be accessible, as you state is the case with your configuration.
/ip firewall filter add chain=forward in-interface=Ether1-WAN dst-address=10.11.0.10
The dst-address is specified as the internal IP because the packet enters the forward chain after the netmap translation has been performed from the external IP. Until you post your config I can’t tell you exactly where to place that rule.
The .203 IP is pingable from the inside of your network because your input chain likely does not prohibit access from the LAN subnet.
I’m just making some guesses based on common firewall configs. Post yours, and I could tell you for sure! 