That part is already in my config. I forgot to add it. But still dont work. 

To answer you question, thats correct i want to access the device using the Outside interface (Untrust). Like i mentioned, the interface has a private ip assigned, but my provider is routing a public ip trought that private address. I want to be able to assigned one of those public address  to access the device. I already tried with a nat, as shown in my config, but without luck.

Just before troubleshooting your config, could you share asa logging and/or packet capture output when you are trying to ssh from outside?

I would like to see if packets are coming into asa or not. 

I don't see any log. I ran a packet trace with the following result

ciscoasa# packet-tracer input Untrust tcp x.x.x.x 443 172.20.0.193 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.20.0.192 255.255.255.248 Untrust

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network PUBLIC-IP
nat (Untrust,Untrust) static interface
Additional Information:
Static translate x.x.x.x/443 to 172.20.0.196/443

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
nat (any,Untrust) dynamic x.x.x.x
Additional Information:

Result:
input-interface: Untrust
input-status: up
input-line-status: up
output-interface: Untrust
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

You are doing the packet-tracer with an IP ending by 193 while on your config is ending bh 196, is it a typo error or I missed something?

I was talking about capture and/or logging capabilities to see if you try a ssh from outside, if the packet arrives to ASA or not. And how it's handling that connection.

Thanks 

you were right about the ip, i didn't notice. But even more weird now, the packet tracer finish without problem. About the logs, i dont see any log. I have an extended ping from my pc, but i don't see anything on the ASDM log.

Are you sure your isp is forwarding traffic to your asa?

You're trying a ping. Do you have a reply back of your ping?

Thanks 

If i point to another IP on the same public network i see the denied packets, but if i point to the correct public ip i don't see anything on the logs.

If has to be access-list. Look what happened if i do it the other way around. From inside to the outside

ciscoasa# packet-tracer input UNtrust tcp 10.213.29.129 443 98.139.183.24 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Untrust

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (any,Untrust) dynamic 186.x.x.x
Additional Information:
Dynamic translate 10.213.29.129/443 to 186.x.x.x/443

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
nat (any,Untrust) dynamic 186.x.x.x
Additional Information:

Result:
input-interface: Untrust
input-status: up
input-line-status: up
output-interface: Untrust
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

If you are using the right IP and nothing come on ASA that means that nothing is forwarded by your ISP (You must see something even if it's deny or permit on ASA logging on CLI and/or ASDM). You have activated the debugging mode on ASA ASDM monitor logging?

Could you check that before ?

Why not using another public IP that your ISP is forwarding to your ASA (The ones you see as denied on ASA).

Thanks

Same, if i change the ip to the one  i was seeing denies, i stop seeing anything.

Ok I maybe missed a part. 

From outside, if you try a ssh connection, icmp or whatever, does you icmp get echo-reply or timeout?

And do you  see traffic (denied or permitted) on asa. Put your monitor as debugging on asdm to see everything. 

If not, you may ask your isp to verify if he's forwarding all traffic back to your outside asa interface. 

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 

C:\Users\emckenzie>ping 186.x.x.x -t

Pinging 186.x.x.x with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.

That's what i get when i try to access the interface from the outside.

 What I try to meant is that, let suppose the ip on the nat is 186.x.x.1. If i try to ping that ip i don't see anything on the asa logs, but if i try to ping 186.x.x.2 i see deny packets. If i then change the nat to 186.x.x.2, i stop seeing the deny packets, but still cannot access the device. I get either way in my computer "Request timed out"

I don't know if that answer your question.

Sorry for my late answer.

First of all, with the nat you've done (1st post), you will have asymmetric NAT issue.

You're not seeing any traffic coming from internet to Public IP you have.

I'm not sure that what you want to achieve will work, I mean ssh the ASA interface by doing a NAT. I've never tried in that way. I can't lab it right now, I'm sorry 

When your IP are forwarded to your ASA, to reach ASA (icmp) from internet, I would do the following NAT:

nat (untrust,any) source static any any destination static PUBLIC-IP ASA-OUTSIDE-INTERFACE

The best way to achieve what you want to do and the simplest way as well, would be to ask your ISP to do port-forwarding on their router.

If you manipulate a bit all NAT to try what you want, you can face spoofing issue.