New ASA 5510 Setup LAN's can not get to Internet

I have two ISP's and 2 LAN in to an ASA5510 and I can not get to the internet via my LAN's see config bellow.

Goal for now is to have Staff on one isp and Guest on the other isp

Please Help Thanks!

Result of the command: "show running-config"

: Saved
: Serial Number: XXXXXXXXXXXX
: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
ASA Version 9.1(6)
interface Ethernet0/0
 nameif Staff-ISP-Interface
 security-level 50
 ip address dhcp setroute
interface Ethernet0/1
 nameif Staff-Network-Interface
 security-level 50
 ip address x.x.x.x
interface Ethernet0/2
 nameif Guest-ISP-Interface
 security-level 16
 ip address x.x.x.x
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Ethernet0/3.16
 vlan 16
 nameif Guest-Network-Interface
 security-level 16
 ip address x.x.x.x
interface Management0/0
 nameif management
 security-level 100
 ip address x.x.x.x
boot system disk0:/asa916-k8.bin
ftp mode passive
dns domain-lookup Staff-ISP-Interface
dns domain-lookup Staff-Network-Interface
dns domain-lookup Guest-ISP-Interface
dns domain-lookup Guest-Network-Interface
dns server-group DefaultDNS
 name-server x.x.x.x
 name-server x.x.x.x
object network Guest_Network
 subnet x.x.x.x
object network Guest-NAT
 host x.x.x.x
object network Staff-Nat
 host x.x.x.x
object network Staff_Network
 subnet x.x.x.x
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu Staff-ISP-Interface 1500
mtu Staff-Network-Interface 1500
mtu Guest-ISP-Interface 1500
mtu Guest-Network-Interface 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-742.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route Staff-ISP-Interface x.x.x.x 1
route Guest-ISP-Interface x.x.x.x 16
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http x.x.x.x management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface Staff-ISP-Interface
dhcpd address x.x.x.x-x.x.x.x management
dhcpd enable management
dhcpd address x.x.x.x-x.x.x.x Staff-Network-Interface
dhcpd dns x.x.x.x x.x.x.x interface Staff-Network-Interface
dhcpd option 3 ip x.x.x.x interface Staff-Network-Interface
dhcpd enable Staff-Network-Interface
dhcpd address x.x.x.x-x.x.x.x Guest-Network-Interface
dhcpd dns x.x.x.x x.x.x.x interface Guest-Network-Interface
dhcpd lease 1800 interface Guest-Network-Interface
dhcpd option 3 ip x.x.x.x interface Guest-Network-Interface
dhcpd enable Guest-Network-Interface
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The following example configures dynamic PAT that hides the x.x.x.x network behind the outside interface address:

(config)# object network my-inside-net
(config-network-object)# subnet x.x.x.x
(config-network-object)# nat (inside,outside) dynamic interface

The same as on other asked question :)
LOGTECHSERVAuthor Commented:
Added that still not working... Maybe an Access rule?
Pete LongTechnical ConsultantCommented:
Add this;

object network Staff_Network
nat (Staff-Network-Interface, Staff-ISP-Interface) dynamic interface
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Pete LongTechnical ConsultantCommented:
also change the sec level

interface Ethernet0/1
 security-level 90

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LOGTECHSERVAuthor Commented:
What about for the guest network?
Pete LongTechnical ConsultantCommented:
object network Guest_Network
nat (Guest-Network-Interface, Guest-ISP-Interface) dynamic interface
interface Ethernet0/3.16
 security-level 80

Should do
LOGTECHSERVAuthor Commented:
Still no internet on the LAN's...  Could it be access rules?
LOGTECHSERVAuthor Commented:
Let me know if you want an updated Running Config

Thanksfor your help!!!!!!!!
Pete LongTechnical ConsultantCommented:
>>Could it be access rules?

I don't see any access-group commands so no.

show run access-group

will tell you if it returns nothing then you have no applied ACLs

Im assuming the ASA can ping each of the ISP router IP addresses, and can also ping Until you sort that noting will get internet access.

Assuming all that works show me the result of a

show nat


show run nat

LOGTECHSERVAuthor Commented:
It did work!!!!!  I had unplugged the ISP patch cable yesterday after i left for the day and forgot to plug it back in.

THANK YOU!!!! I had added tried the NAT before but never changed the Security level....
Pete LongTechnical ConsultantCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.