I need some help in configuring a Cisco PIX 501 VPN appliance. Our ISP changed our range of usable IP addresses. After that range was changed, no users could connect to the Internet. Our PIX 501E is set up as a NAT server and assigns IP address in the to 101.1.1.x range.

I scanned the original configuration and tried to replace the old IP addresses with the new ones. In particular I found:

ip address outside x.x.x.x

(x.x.x.x was the static address assigned to the PIX appliance). I changed this value to:

ip address outside y.y.y.y

where y.y.y.y is the new IP address for the PIX appliance

Also, i saw:

route outside x1.x1.x1.x1 1

and made the IP address change to correstond to the WAN IP address.

I saved these changes, rebooted the router, but the PIX does not allow internet connectivity

Is there something else I need to do?

Thanks Mike McWhinney

What does your NAT statement look like in the config? Also your global statement?

Should look something like:

global (Outside) 10 interface nat (Inside) 10

Also from the firewall can you ping you next hop

route outside x1.x1.x1.x1

Where x1.x1.x1.x1 is your next hop, if not you have other problems.

*** can you post the part of your config including the statements

global nat static

The global statement may contain the old IP also , unless it's configured with the "interface" option.


Verify that you don't have two default route ( though i don't remember if the PIX allows to have two). You may need to do a

no route outside x1.x1.x1.x1 1


And be sure you can ping the default gateway from the PIX before concluding that it's a translation problem

ping outside y.y.y.y

Here are the "old" lines in the configuration that may be of note:

ip address outside ip address inside

global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1

route outisde 1

I am not sure what else to include here.


From the PIX do a "ping outside y.y.y.y" (where y.y.y.y is the default gateway) and a "ping inside [PC-ip address]" to validate your connectivity on both sides of the PIX

*** Then you can do a "sh xlate" when trying to establish internet connectivity and see if translation actually occurs

*** And it will be more easy to help if you post your actual sanatized config instead of the old one.

this might sound strange but when our ISP done the same the only way the pix would work is if we rebooted the router in front of the pix, everything worked fine after that.


