Where are you trying to connect from. If you are trying to connect to the outside interface but from a machine on the inside i don't think this will work. If you are on the inside could you not just connect to the inside interface ?
I have this schema
host 172.16.1.0/24 > ASA A > Router > ASA B > host 172.16.2.0/24
I want SSH connection from host 172.16.1.0/24 to outside ASA B and SSH connection from host 172.16.2.0/24 to outside ASA A, it's possible?
host 172.16.2.x to outside ASA A - yes
host 172.16.1.x to outside ASA B - it would make more sense to have
host 172.16.1.x to inside of ASA B.
Is there some reason you cannot do this ?
SSH from 172.16.1.x to inside ASA A = OK
SSH from 172.16.1.x to outside ASA B = NOK
No translation group found for tcp src inside:172.16.1.2/2737 dst outside:172.16.0.6/22
I just want that host from 172.16.1.x can connect on ASA A and B
You have to configure a static and access-list on ASA B if the security level of the ssh host is higher than the interface that you're coming from.
E.g. if you want to access the host which is on the inside (security level 100) and you're coming from the outside (security level 0), you need to configure a static translation and an access-list that specifies what incoming traffic is allowed.
Doesn't matter if it's in the DMZ or inside. You're going from a less secure network to a more secure network, e.g.: static and access-list.
host 172.16.1.0/24 > (inside) ASA A (outside) > Router > (inside) ASA B (outside)> host 172.16.2.0/24
Cna you confirm if the above is correct in terms of where the inside and outside interfaces of each ASA are. If it is correct
"I just want that host from 172.16.1.x can connect on ASA A and B"
To ASA A from 172.16.1.x connect to inside which is what you are doing and it is okay
To ASA B connect to inside not outside and you will be fine. That is assuming the above is correct in terms of where inside/outside are.
If not let me know.
Not correct,see under.
host 172.16.1.0/24 > (inside) ASA A (outside) > Router > (outside) ASA B (inside)> host 172.16.2.0/24
SSH Host 172.16.1.0/24 to inside ASA A = OK
SSH 172.16.1.0/24 to outside ASA B = NOK
Okay, would have helped if you had told me where the interfaces were :-)
Yes you are right this should work.
So, couple of things to check
1) what IP address(es) are you allowing to ssh to ASA B and is the ASA A firewall natting the source address of 172.161.x to something else.
2) Does the ASA B have a route back to whatever the source address is ie. 172.16.1.x or whatever ASA A has natted it to
3) Same question a 2 for the router.
Actually host 172.16.1.x can join the host 172.16.2.x
From there are all route to join the host behind ASA A and B
route outside 172.16.2.0 255.255.255.0 10.52.72.135
route outside 172.16.0.4 255.255.255.252 10.52.72.135
ssh 172.16.2.0 255.255.255.0 outside
ssh 172.16.1.0 255.255.255.0 inside
route outside 172.16.1.0 255.255.255.0 172.16.0.5
route outside 10.52.72.128 255.255.255.192 172.16.0.5
ssh 172.16.2.0 255.255.255.0 inside
ssh 172.16.1.0 255.255.255.0 outside