Cisco Support Community

Unable to connect to the Internet through the PIX firewall after the ISP is changed

Core issue

ral steps must be taken in order to resume Internet connectivity through the PIX firewall after the Internet Service Provider (ISP) is changed:

The PIX firewall maintains an Address Resolution Protocol (ARP) table in order to remember the hardware addresses of connected devices and the Internet Protocol (IP) addresses that correspond.

  1. When any connected device is changed, for example the ISP modem or the router connected on the outside interface, the hardware address also changes. Issue the clear command for the ARP table stored in the PIX firewall in order to allow the firewall to build a new ARP table that accommodates the new hardware address and its corresponding IP address.

  2. If a new block of IP addresses is to be used as the public IP address, it is necessary to make changes in a few or all of the translation rules and access-list commands already applied in the configuration. This allows the hosts or servers in the private network to be mapped with the new block of IP addresses provided by the new ISP. Changes must also be made in the access-list rules so that the inbound traffic can be denied or permitted in accordance with the new set of IP addresses.



Complete these steps when the ISP is changed in order to ensure proper Internet connectivity:

  1. Change the ip address of the outside interface.

  2. Change the default route of the PIX firewall. Point it to the IP address of the modem or router of the new ISP.

  3. Change the dynamic and static translation rules in order to map the inside devices with the new block of IP addresses.

  4. Change the access-list rules in order to permit or deny the inbound traffic.

  5. Use the clear arp command in order to clear the ARP table.

  6. Use the clear xlate command in order to clear the translation table, so that new translation slots can be built through the firewall.

  7. Use the clear local-host command in order to clear the local host entries.

Note: In addition to all the steps previously mentioned, whenever there is any topology change, for example if you replace any mail server or ftp server hardware or its ip address, it is necessary to make sure that you also update the NAT/PAT rules and open the ports on PIX with the use of the access-list command.

Product Family

Firewall - PIX 500 series

PIX Software Version

PIX version 6.x

PIX version 7.x