How can I open all ports to specific host?

I have a public IP address of being NAT'd to and want to open ALL ports just to that device.  Ultimately, I would like to be able to pass off the public IP address directly to that device, however, if it is not allowed I just want to open all ports to it.  How can I go about doing so?

interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address
interface Vlan2
 description Outside Interface
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq imap4
access-list outsidein extended permit udp any any eq 23
access-list outsidein extended permit tcp any host eq telnet
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) netmask
access-group outsidein in interface outside
route outside X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd enable inside

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Since you have the static set up ok, you just need to tweak your internet facing access-list (outsidein)

here is a suggested config.  The only line you actually need is the line shown in bold below. (with some additions that will help you for management if you wish them)

1. Make a readable name for your inbound server
2. Create object groups for services and or networks. This makes changes to the ports you use as easy as adding or deleting an object in the object-group..instead of having to add or remove actual lines in the access-list.  Much less chance of making an error that way.
3. Create the access-list with the appropriate destinations based on the services you want.
4. Apply the access-list to an interface.

router# config t

name mydestinationserver

object-group network ServiceDestinations_net
  network-object (THIS IS OPTIONAL..It covers all the servers in your netblock..I suggest honing each destination individually based on the services you need.)
  network-object host
object-group service InboundServices-tcp tdp
  port-object eq www
  port-object eq pop3
  port-object eq smtp
  port-object eq imap4
object-group service InboundServices-udp udp
  port-object eq 23

(this next section will erase your current access-list, make it much easier to edit and cleaner..sorry..i am a neat freak.  if you want, there are some security items you should know given what your access-list looks like. make sure you have internal connectivity before you do the step clear config access-list outsidein)

clear config access-list outsidein
access-list outsidein permit icmp any any
access-list outsidein permit tcp any mydestinationserver log
access-list outsidein permit tcp any ServiceDestinations_net object-group InboundServices-tcp
access-list outsidein permit udp any ServiceDestinations_net object-group InboundServices-udp
access-list outsidein extended permit tcp any host eq telnet
access-list outsidein deny ip any any log

access-group outsidein in interface outside

I know this was way more than you asked for.  But a firewall isnt any good if all you do is put accept ip any any everywhere.

oops..hit send before i spell checked..

here is the super terse answer to your question..without all of the unsolicited policy changes.  haha..sorry..i just cant look at a firewall configuration and not optimize and try to lock it down.  it is what a firewall is for hehe:)

this will insert any tcp or udp port access to and log it.

access-list outsidein line 1 permit tcp any host log
access-list outsidein line 2 permit udp any host log

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rcooper83Author Commented:
I will give it a shot in the morning.  I have never thought to use the object groups.  It does clean it up quite nice.  Just a lil more lines, but clean.  Then you just add to the service group as apposed to the acl each time.

Doing it this way can I assign the public IP address directly to the device?  Or do I need to keep the NAT?
The device needs to keep its RFC1918 address.  But anything will be able to connect to it.

As for the policy optimization, yes..when you have to add a new service (to the ip other than the one you are allowing everything obviously) its just one line.  From one computer nerd to really need to go through your policy and eliminate anything clear text.  No telnet etc.  SSH is trivial to set up..because if you use telnet, you might as well not even use passwords.  I apologize for the lecture..but i have to do it.  
So were you successful?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.