Change ISP problem in PIX 515E

morganstanleylau · ‎11-07-2004

Hi all,

I got the problem , when i change A ISP (old) to B ISP (new), after that the internet connection is fail , here are change the running config information as below:

1.IP address outside

2.Global

3.Route 0.0.0.0 0.0.0.0 x.x.x.x

Testing before :

If i setup the B ISP ip address , i can in terminal console ping B ISP gateway and dns , confirm the connection is work for B ISP

I found that i change the these IP setting in B ISP is can't work , but when i try to roll back the ip setting in A ISP the internet connection successfull , anyone know that the problem ? Please Advise

Stanley

ehirsel · ‎11-07-2004

After you change ip addresses, you proabably need to do a clear xlate to force the pix to drop any existing connections that use nat/pat based upon the prior isp address assignments as well as to drop the correlation (nat/pat) between them and your inside network.

I assume that you do not own your public ip address range, and that when you change ISP's the public address changes along with them - that is not only the pix outside interface address, but any public addresses listed on global and static statements as well. Thus the need to do a clear xlate even if you only use global, and no static statements.

Let me know if this helps.

morganstanleylau · ‎11-07-2004

Hi ehirsel ,

1. Thanks for your information

2. What is clear xlate ?

3. I didn't set any (nat/pat) ,because i just want to set a pure running-config to test the internet connection . I want thought the pix go to the internet only .

Stanley

sachinraja · ‎11-07-2004

Hello stanley,

clear xlate is used to clear off any NAT/PAT translations that exist on the PIX. As ehirsel said, when you change the ISP, your public IPs change, and you have to clear off your existing NAT connections.

You are infact doing PAT, by using the global command.

Just do the following:

1) Change the outside IP of the PIX to the new ISP

2) Change the global statement to interface .

global (outside) 1 interface

3) make sure the route outside points to the correct gateway.

4) Change the DNS of the users to the new ISP DNS on the DHCP server or manually on the PCs.

5) do a clear xlate on the PIX and start the connections fresh.

I think it might be a DNS problem in your case. Make sure you change it.

All the best.. rate all replies if found useful..

morganstanleylau · ‎11-08-2004

Hi sachinraja ,

1.Thanks you for information

2.I have question is i clear all static , nat , route , access list ... and reboot , power on/off the PIX 515E , should i need to run the "clear xlate" command ? because i want to make that this command is it helpful , please advise , thx

Stanley

sachinraja · ‎11-08-2004

No need to powe on/off the PIX. The clear xlate command will just clear off the existing NAT translation table. It will not clear the access-lists nor reboot the PIX. It is not a harmful command.

The existing users who are connected to internet will get disconnected and after that you can ask them to connect with the new ISP. simple ..

All the best !!

morganstanleylau · ‎11-11-2004

Hi sachinraja ,

I try the clear xlate command today , but also fail to connected the internet , have any other solution , pls advise , thx

Stanley

sachinraja · ‎11-11-2004

Hello,

did you make sure that the DNS is right for the new ISP ?? i presume it can be a DNS problem. Just try browsing any site by ip address and see if it happens..

see the sh xlate command and see if nat translation is happening or not...

mail me if you have any other queries... thanks

All the best !!

morganstanleylau · ‎11-11-2004

Hi sachinraja ,

I make sure that my A ISP DNS is right , because in my DMZ some server is connect to A ISP DNS , also i in PIX console can ping my A ISP DNS and Gateway , but i sh xlate no connection in here , what the problem , is seem that some connection thought the PIX is block when i using the browsing though the IP is not work , have you any running-config for using internet connection only ? because i just only internet connection problem , pls advise .

Stanley