Need help configuring PIX 501 after ISP IP adddress change

Hello,

I need some help in configuring a Cisco PIX 501 VPN appliance. Our ISP changed our range of usable IP addresses. After that range was changed, no users could connect to the Internet. Our PIX 501E is set up as a NAT server and assigns IP address in the 10.1.1.1 to 101.1.1.x range.

I scanned the original configuration and tried to replace the old IP addresses with the new ones. In particular I found:

ip address outside x.x.x.x 255.255.255.248

(x.x.x.x was the static address assigned to the PIX appliance). I changed this value to:

ip address outside y.y.y.y 255.255.255.248

where y.y.y.y is the new IP address for the PIX appliance

Also, i saw:

route outside 0.0.0.0 0.0.0.0 x1.x1.x1.x1 1

and made the IP address change to correstond to the WAN IP address.

I saved these changes, rebooted the router, but the PIX does not allow internet connectivity

Is there something else I need to do?

Thanks Mike McWhinney

Reply to
eljainc
Loading thread data ...

What does your NAT statement look like in the config? Also your global statement?

Should look something like:

global (Outside) 10 interface nat (Inside) 10 0.0.0.0 0.0.0.0

Reply to
Smokey

Also from the firewall can you ping you next hop

route outside 0.0.0.0 0.0.0.0 x1.x1.x1.x1

Where x1.x1.x1.x1 is your next hop, if not you have other problems.

Reply to
Smokey
*** can you post the part of your config including the statements

global nat static

The global statement may contain the old IP also , unless it's configured with the "interface" option.

***

Verify that you don't have two default route ( though i don't remember if the PIX allows to have two). You may need to do a

no route outside 0.0.0.0 0.0.0.0 x1.x1.x1.x1 1

***

And be sure you can ping the default gateway from the PIX before concluding that it's a translation problem

ping outside y.y.y.y

****
Reply to
mcaissie

Here are the "old" lines in the configuration that may be of note:

ip address outside 68.78.88.193 255.255.255.248 ip address inside 10.1.1.1 255.255.255.0

global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0

route outisde 0.0.0.0 0.0.0.0 68.78.88.198 1

I am not sure what else to include here.

Mike

Reply to
eljainc

***

From the PIX do a "ping outside y.y.y.y" (where y.y.y.y is the default gateway) and a "ping inside [PC-ip address]" to validate your connectivity on both sides of the PIX

*** Then you can do a "sh xlate" when trying to establish internet connectivity and see if translation actually occurs

*** And it will be more easy to help if you post your actual sanatized config instead of the old one.

Reply to
mcaissie

this might sound strange but when our ISP done the same the only way the pix would work is if we rebooted the router in front of the pix, everything worked fine after that.

Dave

Reply to
Dave

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.