Ableton,

It sounds like you want to use in-band management for the external switch and are using NAT on your firewall. For most NAT configurations, no special configuration is needed for communications originating from the inside of your network. Therefore, SSH and SNMP polling initiated from the inside of your network will be allowed out to the switch (firewall permitting) and the return traffic for the matching flow will be allowed back inside based on the NAT table entries established by the outbound connection. As this switch is external to your firewall but has remote administration enabled, be sure to block those protocols on all but the expected interfaces using an ACL. Moving on, the communications originating from the switch destined for the inside of the network will not have a NAT entry so will be dropped. To resolve this you will need to create a static port mapping. On a Cisco router you would type something like 'ip nat inside source static tcp 10.0.0.10 49 132.16.0.1 49 extendable' to enable authentication using the TACACS+ protocol (where 10.0.0.10:49 is your server's IP:port and 132.16.0.1:49 is the IP:port you want the server to be accessible from on the outside). You can also change the external port from the default of 49 to something else in order to obfuscate the external communications or ensure that port is open for later use. You do this when defining the TACACS server in the switch configuration. For older IOSs, the syntax was 'tacacs-server host [IP Address] port [port #] key [shared secret]', but I believe it is nested in sub-configurations now.