Thank you very much Karsten - I have asked my counterpart in the country where the firewall is to provide this command output.  I have also asked him to configure the NAT statement. What you have said makes sense and I have relayed the information.  I am also trying to gain access to it myself.  Many thanks for your help.

Hi Karsten,

I now have access to the ASA so can respond more easily.  Meanwhile, here is the result of the show commands that you requested:

ASA# show run nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0_outbound outside

ASA# show run global

global (inside) 1 82.64.92.12-196.38.92.13 netmask 255.255.255.0

global (outside) 1 interface

ASA# show run static

static (inside,outside) 84.12.54.131 ISI_SRV netmask 255.255.255.255

static (inside,outside) 84.12.54.132 DWA_SRV netmask 255.255.255.255

Thank you very much for the help.  I'll try to repay the community in the future!

Hi Karsten,

See my last post and the fact that I have access to the ASA.  I'll try your NAT rule first I think.

To bypass the NAT you could enter the no nat-control command from global configuration mode.

that won't help as it is very likely that there is a nat-statement for internet-access on the internal interface.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

just add:

eneable

config t

global (dmz) 1 interface

Value our effort and rate the assistance!

You cannot bypass NAT if you already have nat (inside) 1 0 0 it will force you to add that global that I mention or configure NAT exemption or a static identity NAT.

Value our effort and rate the assistance!

Do you need anything else, do you have any comments??

Value our effort and rate the assistance!

Hi Jumora,

Your advice seems sound and I apologise for the delay in replying - it's because since Thursday I have been in London dealing with a problem with, ironically, another Cisco ASA.

I have access to the ASA that is the subject of this problem and tomorrow will be trying out this:

global (dmz) 1 interface

I will reposrt back to this discussion AND can assure everyone that once the problem is overcome I'll update and give closure for anyone else reading this.  There is nothing worse that a discussion that does not get closed.

Thanks again,

Daren

It's ok, I will wait for your update

Value our effort and rate the assistance!

First of all I am very sorry for the delay.

In addition to:

global (dmz) 1 interface

This is what I configured:

static (dmz,inside) tcp 10.10.1.100 ssh 10.10.1.100 ssh netmask 255.255.255.                                                 255

access-list inside_access_in extended permit ip any host 10.10.1.100 log

access-group inside_access_in in interface inside

Testing seems to show that an implicit deny is dropping it somehow, if I interpret this correctly:

TESTING

-------------

ASA_Firewall# packet-tracer input inside tcp 172.23.80.37 1026 10.10.1.100 ssh

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (dmz,inside) tcp 10.10.1.100 ssh 10.10.1.100 ssh netmask 255.255.255.255

  match tcp dmz host 10.10.1.100 eq 22 inside any

    static translation to 10.10.1.100/22

    translate_hits = 0, untranslate_hits = 2

Additional Information:

NAT divert to egress interface dmz

Untranslate 10.10.1.100/22 to 10.10.1.100/22 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule     <=================  This is where it fails