I am replacing my current T-1 with another T-1 from different provider. I am trying to set my default route to go through my new T-1 rather than my existing T-1, but nothing I do seems to work. The firewall simply will not route to the new interface. I am getting syslog errors of "unable to create translation...", or something to that effect. i didn't write it down. I'm doing PAT.
I have done a 'clear arp', 'clear xlate', nothing seems to work. However, I can ping the outside2 router from the pix, and I can ping any internet host through outside2 from the pix. Heck, I can even ping the outside2 router from an inside host. I just can't seem to get out to the internet. I would have thought clearing my translation tables and ARP cache would do it.
As soon as I change my global address to reflect my old line, and change my routes to my old line, everything comes right back up. I've used several IP Addresses for NAT, but just can't seem to get out.
Has anyone had any of these problems?? I've been working on this for weeks, and we are paying for a line that we can't use right now.
No, no posting of my code, but I do understand why you would want to look at it. I basically have an ACL on my inside interface, and use conduits to go from my lower security interfaces to my higher.
That's it. The only other configurations on my firewall is IPSec information not in use anymore, and failover configurations.
Are there any commands that I am not thinking of to reset anything? I cleared my ARP and translations. Could it be a security level issue? Being that I am re-routing my default route to a level of 15 and not 0?
Or could it be because my software level is so low. We are running 5.0(2) on a Pix 520.
Thanks for your response. However, I've used "clear xlate" too many times to remember. My translations are still not working. I think I got this error in my syslog, but can't remember, since I've done some other work:
Log Message %PIX-3-305006: translation creation failed for
Thanks! I am only allowing it to use one default gateway. The problem is, no traffic is passed through. I've even done what you had said (although I left that part out), in that I renamed my interfaces (the old outside interface I named to outside2, and my new line I named to outside).
Unfortunately this did not work either. My Globals and NAT were redefined every time to reflect the new line. My Pix OS is severely outdated 5.0(2) so I am in the process of upgrading before trying again.
And no, you are correct. This is a migration, and not additional lines.
First, you should try to isolate your problem. To do that, it's better to begin with your Internet gateway router, the new one. Are you able to surf from this point. Make a ping or telnet from this router ? If not, forget the PIX, the problem isn't this box. Second, are you able to surf from the 192.168 network, the one between the new router and the new PIX's interface. Your problem is perhaps a routing one, not related to PIX.
As the last poster said, it's better to remove the outside2 stuff, just keep your initial outside interface and flip the new T1 & his router to this interface.
Also, take care of double NATting, sometimes, it's not working properly.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :