I have many units setup however due to security needs I have customers wanting ports open only from specific Public IP addresses. How do I accomplish this in the CLI.
It's essentially the same as you would do for a port-forward from any external host, except your ACL has the allowed host IP in the source field.
Allowed external ip address 192.0.2.5
External IP of router 172.16.1.5
Internal SSH server 192.168.10.5
ip access-list extended ssh-fwd-list
permit tcp host 192.0.2.5 host 172.16.1.5 eq 22
interface eth 0/1
description WAN to Internet
ip address 172.16.1.5 255.255.255.0
ip access-policy Public
ip policy-class Public
nat destination list ssh-fwd-list address 192.168.10.5 port 22