Thank you Varun

after checking I am still having trouble. I have internet when plugging into "server"  nic on the pix. I then clear xlate , and clear arp , change ip info on pc nic, plug into courthouse and sheriff and I get no where, cant even ping pix ip for that subnet can you see anything wrong with config:

PIX-GW# show run

: Saved

:

PIX Version 8.0(4)

!

hostname PIX-GW

domain-name garrettcounty.org

enable password 2Vnffa/98HkYTtlJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 167.*.#.% 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.100.20 255.255.255.0

!

interface Ethernet2

nameif Sheriffs

security-level 99

ip address 192.168.104.3 255.255.255.0

!

interface Ethernet3

nameif Courthouse

security-level 98

ip address 192.168.102.50 255.255.255.0

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name dn.local

pager lines 24

mtu inside 1500

mtu Sheriffs 1500

mtu Courthouse 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

nat (Sheriffs) 101 0.0.0.0 0.0.0.0

nat (Courthouse) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 167.*.*.*.*

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.100.0 255.255.255.0 inside

http 192.168.100.88 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1b03067e1a9f17d1ae0e08c72c1d9a80

: end

Hi david,

Plz provide me the captures when you plug the internet to the sherrif and courthouse interface, here is how to take them:

access-list cap permit ip host any

access-list cap permit ip any host

capture caps access-list cap interface sherrif

capture capo access-list cap interface outside

Try connecting to internet after that, and collect the output of "show capture caps" and show capture capo"

Moreover kindly give me the output of the packet-tracer:

packet-tracer input sherrif tcp 2345 1.1.1.1 80 detailed

And plz collect the logs for the time of the issue as well, this shoudl be enough to troubleshoot on the ASA.

Hope this helps

Thanks,

Varun

Hi I put the capture commands in and plugged in to sheriff and it started working. Maybe I had be ether cables

Anyway I really appreciate the help consider it solved

Hi David,

That is good, all the best

Varun