Do you want this client to have access to your whole internal network? Or just some specific machine on a specific port? If it's the whole network then you should create a VPN for him.
Just a machine (Web Server) on a specific port (443).
Make a rule on some other port, like 4434, set the source to his external IP, and redirect it to your internal webserver on port 443 (change the redirect port from 0 to 443). Unless someone from his company using that same IP is scanning your external IP for open ports and then trying to connect on them, I don't see how anyone else will use that rule besides him. Then you give him https://x.x.x.x:4434 and he can get to the server on the inside.
You need to create a network object first bind to your web server. You will then need to create a rule in your firewall. Select the application, source.... In destination put the public ip address (you could create an alias), and in the redirect field, specify the network object that you have created (the private ip address of your web server).
I think NAT is supposed to be set to none.
Please let us know if that works.