I need to allow a vendor to get ssh access to a device on my inside network. Of course I want to limit where the ssh is coming from and going to. Do the lines below look sufficient?
access-list acl_out permit tcp host outside.vendor.ip host my.outside.ip eq ssh
static (inside,outside) tcp my.outside.ip ssh my.internal.ip ssh netmask 255.255.255.255 0 0
Yes, unless "my.outside.ip" is the ip of your outside interface. In that case, replace "my.outside.ip" with the keywork "interface". Also apply the acl with "access-group acl_out in interface outside".