Hello Florian
According to Cisco, concerning the implementation of Network Object NAT:
When a packet enters the adaptive security appliance, both the source and destination IP addresses and ports are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are not tied to each other; different combinations of rules can be used depending on the traffic.
Let’s take a look at your example:
ASA1(config)# object network SSH_SERVER
ASA1(config-network-object)# host 192.168.3.3
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static interface service tcp 22 10022
For traffic originating outside and coming in, the following must be matched in order for this translation to take place:
- destination address of outside interface
- destination port of TCP 10022
For this same NAT rule to allow a translation to occur for traffic originating inside and going out, the following must be matched:
- source address of 192.168.3.3
- source port of 22
Translation will occur in this case, however, (as is the case with most services) port 22 is a listening port. It is designed to listen for incoming requests. The client server model is set up such that clients choose a random TCP port (somewhere between 49152–65535) and connect with the specific port of the service, 22 in this case being SSH. Although you can configure port 22 to initiate sessions, it is rarely done.
I hope this has been helpful!
Laz