I'm having trouble with a security policy rule that is denying outbound connections. I am trying to allow outbound SSH connections to specific IP addresses. Therefore, I added a rule on the inside incoming interface that allows tcp source 192.168.0.0/24 dest ip-group tcp-service group. The ip-group consists of 3 IP addresses of servers. The TCP service group consists of tcp ports 902, 9999, ftp, ftp-data, and ssh. 902, 9999, ftp, ftp-data work fine, but the SSH does not work. I get a message in the log deny tcp src 192.168.0.x to x.x.x.x:22 on the internal access list.
I have a NAT rule for these connections, but it looks like the firewall denies it before the NAT rule takes affect.
Let me know if anyone has any suggestions. Thanks,