PIX 515 failover pair and DMZ

Posted on 2006-05-07
Last Modified: 2011-09-20
Hi Guys,

I have asked  a couple of questions this week about two PIX 515's (UR and FO) and failover config, which I have received good answers to.

What I forgot to ask is is there any special considerations if I was going to have a DMZ, or would I just configure the DMZ interfaces the same way as the internal interfaces?

Both PIX's have six interfaces and I was going to have inside, outside, statefull, failover and DMZ. I take it I would give the DMZ interfaces different addresses and treat them the same as the inside confgi just with a lower security setting?

Any pointers would be appreciated


Question by:kjorviss
    LVL 19

    Accepted Solution

    Hi Kevin

    As per your earlier Qs on this - the DMZ interfaces should be configured exactly the same:
    Active firewall:
    DMZ ip address

    Standby firewall:
    DMZ ip address

    Both of these interfaces should be plugged into the the DMZ switch (or into the same DMZ vlan if you are using vlans).  Should the active firewall fail, the standby will take over and the DMZ will assume the ip address.
    Has all the details on how to configure etc.

    You can test the failover configuration to make sure it is all working ok:
    On the active firewall type:
    no failover active

    This will force failover to the standby - type sh failover and you will see how things have changed.

    hope this helps


    Author Comment

    Hi nodisco

    Thanks for the answer. I was just having a moment..... I was worried that their were special considerations for a DMZ network.

    Thanks again for the advise

    LVL 19

    Expert Comment

    Your welcome.  Theres no harm in being careful ;-)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now