Thanks - Both lines are plugged directly into the pix, and our router just has a default route pointing to the inside interface of the pix (ex. ip route 0.0.0.0 0.0.0.0 192.168.2.2) And sorry - having the word "outside" in both those lines was a typo on my part!

Your default route (on router) should be to your ISP

ex. ip route 0.0.0.0 0.0.0.0 b.b.b.b 1

If the interface connecting from to your pix is private, just put your networks pointing to that interface on the pix.

ex. ip route 172.16.0.0 255.255.0.0 192.168.2.2

and possibly

ip route 192.168.0.0 255.255.0.0 192.168.2.2

I hope you get the idea.... Make the routes going to your pix more specific.

Then on the pix make sure your default route is pointing to the correct interface. Like in the previous post. And make sure you have an NAT statement going out that interface. You can use the same one that you had going out your outside. (make the new interface looks almost the same as the outside interface)

Jake

Sure - yes, the line is a Verizon fios fiber optic line (15Mbs) comes into a dlink router which then plugs into ethernet5 on the pix. From the pix I can ping the provider, but can't ping the provider from anywhere behind the pix, hence, I can't get the web traffic to use that link.

Ok - I am going to back up and start from scratch here - I think I may have not explained this very well. I have:

1 T1 (A.A.A.A) terminated at a 1721 then plugged into ethernet0 (if_name outside). Works fine.

1 new Veriszon 15Mb fios fiber optic line (B.B.B.B) terminated at a DLink router then plugged into ethernet3 on the pix (if_name Internet).

I want to be able to use the fiber optic line (B.B.B.B) for internet traffic while keeping the T1 (A.A.A.A) as a standby in case the fiber optic line goes down

My problem is no matter what I try I can't get traffic to flow over the fiber optic line. I know it's working because I can connect directly to the fiber optic line and get out to the net. I am attaching the config for my pix. Take a look and let me know what I need to do to get this to work. Thanks!

you need a global statement for the internet interface and track statements so

global (internet) B.B.B.B netmask 255.255.255.255

and

route internet 0.0.0.0 0.0.0.0 B.B.B.B 1 track (your dlinks gateway)

route outside 0.0.0.0 0.0.0.0 A.A.A.A 5

you need to make sure your internet route has the track statement, when it goes down, it will use the outside interface.

Jake thanks , I really appreciate your patience. So just so I have this straight - right now I have

b.b.b.1 - Verizon side router - their end

b.b.b.3 - Dlink router - my end

b.b.b.4 - Internet interface on my pix.

b.b.b.5-b.b.b.6 - open for me to use.

should my config, based on what you said look like this?

global (internet) B.B.B.1 netmask 255.255.255.255

route internet 0.0.0.0 0.0.0.0 B.B.B.3 1 track

global (internet) B.B.B.6 netmask 255.255.255.255

route internet 0.0.0.0 0.0.0.0 B.B.B.3 1 track 1

track 1 rtr 10 reachability

I frogot that last line... its been awhile since i used the track statement

Ok - still not working when I do that but I think I see why. I cannot ping from b.b.b.4 to b.b.b.3 even though I have a cable going from one to the other on the other side of the room, green lights on both ends and an up/up on the interface on the pix. Whats missing here?

Also - the 'track' command is an unknown on my pix - is that a later version command?

Yeah track is on a later version, not really an issue.

changes:

route outside 0.0.0.0 0.0.0.0 A.A.A.A 10

route internet 0.0.0.0 0.0.0.0 B.B.B.B 1

The INternet_acl looks to be in error. its going to network A and needs to be B.

Might want to take off the "access-group Internet_acl in interface Internet" just to test.

Also once you change the routes, go to www.network-tools.com and see what your IP is.

Ugh - if wasn't bald I'd be pulling my hair out. Tried the above, still no go. It's got to be something simple that I am missing. Now, can I tell the pix to only use that link for http/https traffic and everthing else continue to use the old link? Would that make this easier? I still have to figure out why I can't ping the dlink from the pix.

Did I already tell you I appreciate the help?

It would not be eaiser to send all www traffic out one interface.

Try this for pings

access-list Internet_acl extended permit icmp any any echo-reply

access-list Internet_acl extended permit icmp any any time-exceeded

access-list Internet_acl extended permit icmp any any unreachable

have you done a clear xlate ? That might be all it is. Also please post an updated config.

Ok, I added those - it choked on the 'extended' part, so I just added them to the acl itself. Did the clear xlate as well. Here is the updated config. Thanks!

ALSO - I added the last octet to the addresses to see if that helps at all.