You definitely want the access-list on the outside to be as granular as possible. If you are running an IOS with the firewall feature set, the access-list provides several features not present in the NAT configuration i.e. content based access control or CBAC. The firewall feature set also does some limited IP fragmentation tracking and it is stateful so orphaned fin and ack packets will not get through the access-list. Also, the access-list is helpful for logging inbound connections regardless of feature set. Hope that helps.

-Tom