ciscoasa(config)# nat (inside,outside) source static host service SSH SSH
                                                                   ^
ERROR: % Invalid input detected at '^' marker.

ciscoasa(config)# access-list outside permit tcp any host 192.168.110.201 eq 22
ciscoasa(config)# access-group outside in interface outside

The error is detected at the first SSH

Hi Mike,

I have started over again.

my intent is to allow access from outside to inside over ssh, as a simple test, using the firewall IP to do port forward. It appears from reading the builtin help as if I can do this purely via GUI, and without manually configuring NAT/ACL, simply by using the Firewall function "Public Servers" however this fails to work; I believe that command line work is required. While I'm not familiar with Cisco I've worked with Juniper, Sonicwall, iptables. Part of my problem is that a lot of the examples i can find on the net refer to older ASA version.

I am on ASA 9.3 and I suspect the syntax differs from what you suggest, here is what I'm trying:

a static one to one NAT as a simple test

ciscoasa(config)# object network vmware
ciscoasa(config-network-object)# host 192.168.1.6
ciscoasa(config-network-object)# nat (inside,outside) static 192.168.110.201
ERROR: Address 192.168.110.201 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

current error: tcp access denied by ACL from 192.168.110.199/41256 to outside 192.168110.201/22

I see no way using the GUI to assign another IP to the external interface.

ASA Version 9.3(2)2 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.110.201 255.255.255.0 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network VmwareHypervisor
 host 192.168.1.6
object network Vmware
 host 192.168.1.6
object network Public_Vmware
 host 192.168.110.202
object network public_outside
 host 192.168.110.201
object network host
 host 192.168.1.6
object service SSH
 service tcp source eq ssh 
object network vmware
 host 192.168.1.6
access-list outside_access_in extended permit tcp interface outside object VmwareHypervisor eq ssh 
access-list outside_access_in extended permit tcp interface outside interface inside eq ssh 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit tcp interface outside interface inside eq ssh 
access-list ACL-OUTSIDE-IN extended permit tcp any host 192.168.1.6 eq ssh 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

!             
object network obj_any
 nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.110.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5 
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.69.120.201 source outside
ntp server 23.226.142.216 source outside
ntp server 108.59.2.24 source outside
dynamic-access-policy-record DfltAccessPolicy

object network vmware
host 192.168.1.6
nat (inside,outside) static interface service tcp 22 22

in addition your acls are wrong ie.

the "inside_access_in" is permitting ip any any which is allowed by default from a higher to lower security interface so you may as well remove it ie. -

"no access-group inside_access_in in interface inside"

your "outside_access_in" acl makes no sense because the source will never be the interface IP address however your "ACL-OUTSIDE-IN" does make sense and is correct so can you replace the existing acl with that one ie. -

"access-group ACL-OUTSIDE-IN in interface outside"

from memory that should overwrite the existing entry. If it complains that there is already an acl applied to the outside interface then remove the existing one first ie.

"no access-group outside_access_in in interface outside"

You may also want to read this doc which gives an excellent overview of NAT post 8.3 and recommendations as to where to place certain rules etc. -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Jon

Thank you for the recommendations. I'm trying to use the GUI but I think i might actually be better off learning the cisco command line. I will try your recommendations on Monday and report back in. also I could swear that the inside_access_in permitting ip any any was created by default by the ADSM GUI,

It may have been created by default, couldn't really say because I don't use the GUI.

You should be able to do all of the above using ASDM and there will be configuration examples on the Cisco site but I only know the CLI unfortunately.

See how you get on with it next week and by all means come back if you need more help.

Jon