I've set it up in the lab, but I can't do it exactly with the hardware I have. I did do some searching on the internet and it looks like this will work. You need to create a management interface-

vlan 44

nameif management

ip address 192.168.1.50 255.255.255.0

Then create a NAT from one of your public IP's to the management interface.

static (management,outside) [public IP] 192.168.1.50 netmask 255.255.255.255

The port needs to be up, so I would plug it into a null VLAN so the can't get anywhere else when they SSH in.

Excellent, I will try it tomorrow and let you know.

Thank you for all your hard work!

I was just able to try this, but I cannot use the vlan command. It is not recognized.

I am running 6.3(3)

How do I this up? My google-fu is low today and I cannot find any info on it.

Ahh, just use a new interface instead of the VLAN.

I am going to have the outside monitoring group test it soon, but this is what I added:

a.a.a.a is the legal IP address they will be using to connect.

access-list outside_access_in permit tcp object-group outside_servers eq ssh host a.a.a.a eq ssh

access-list outside_access_in permit tcp object-group outside_servers host a.a.a.a

access-list outside_access_in permit icmp object-group outside_servers host a.a.a.a

!

static (inside,outside) a.a.a.a 1.1.1.1 netmask 255.255.255.255 0 0

!

int ethernet5 nameif management 10

!

ip address management 1.1.1.1 255.255.255.255

!

int ethernet5 100full

The 1.1.1.1 is then blocked by an access-list on the switch to which it connects.

Does that look like it should work?

Looks good. Your first two ACLs can be replaced by one that is more secure-

access-list outside_access_in permit tcp object-group outside_servers host a.a.a.a eq 22