Cisco ACL and NAT

Not sure about whole scenario (is 1.1.1.1 ip address of your WAN interface, or you need to allow access from Ip address 1.1.1.1 to inside devices). I presume that 1.1.1.1 is WAN ip address.

Static nat assignment is all you need in scenario above:
ip nat inside source static tcp 10.10.10.2 22 1.1.1.1 40 extendable   <-- request from port 40 on WAN interface will be forwarded to device 10.10.10.2 port 22
ip nat inside source static tcp 10.10.10.3 22 1.1.1.1 26 extendable   <-- request from port 26 on WAN interface will be forwarded to device 10.10.10.3 port 22

thank you for helping -

sry i meant 1.1.1.1 would be the only allowed IP address from the internet.
so assume:
1.1.1.1 is the external IP (and only IP) needing access
2.2.2.2 would be the current WAN IP address on the router

replace 1.1.1.1 with the 2.2.2.2 in above port forward
Filtering on WAN port (Gi0/0):

interface Gi0/0
ip access-group SSH_FILTER in

ip access-list extended SSH_FILTER
permit ip 1.1.1.1 any    <-- permit full access to host 1.1.1.1 (you can be more specific to allow specific ports etc, but I guess there is no need for that)
deny ip any any 40      <-- deny any other host access to tcp & udp port 40 - there is no need to care for source and destination in this case except to block port 40 as destination
deny ip any any 26      <-- The same as previous - just different destination port - 26
permit ip any any         <-- permit any other traffic

You can use different ports, ip addresses, but basic principle is the same...