Hi experts,

I need your help with an ACL because I am not very familiar with ASA 5520 yet. I'm still studing.

I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.

Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error:

"%ASA-3-305006: {outbound static|identity|portmap|regular) translation

creation failed for protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dest_address/dest_port [(idfw_user)]"

Can you please help me figure out a solution?

Here the configuration (I've removed the standard part):

========================================================================

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address ************ ************

!

interface GigabitEthernet0/1

shutdown

nameif INTERNAL

security-level 100

no ip address

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 172.18.2.1 255.255.255.0

!

object-group service DM_INLINE_TCP_1 tcp

port-object eq ssh

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE object-group DM_INLINE_TCP_1

access-list DMZ_access_in extended permit tcp any interface INTERNAL eq ssh

global (OUTSIDE) 1 interface

global (INTERNAL) 1 interface

nat (INTERNAL) 1 172.18.1.0 255.255.255.0

nat (DMZ) 1 172.18.2.0 255.255.255.0

static (DMZ,OUTSIDE) tcp interface ssh 172.17.2.50 ssh netmask 255.255.255.255

access-group OUTSIDE_access_in in interface OUTSIDE

access-group DMZ_access_in in interface DMZ

========================================================================

Thanks,

Dario