Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member


Hi All ,

I am very new to Firewall. I have Cisco PIX 515E , I want to know regarding configuration of 515E & also want to know what happens with command fixup protocol , failover ip address outside,failover ip address state & how to use access list in Firewall.

Hall of Fame Super Blue

Re: Firewall


Big subject :-)

1) fixup protocol. Generally the pix looks at layer 3 (IP addresses) and layer 4 (port numbers). However for some applications it can look at the layer 7 information ie. it understands certain commands etc, used by the application. The applications it can do this for are defined by the fixup protocol lines.

2) failover - this is used when you have two firewalls in a pair. One is generally active and the other is in failover mode and will assume the active role if the primary firewall fails. Note that with v7.0 of the pix software you can run both in active mode if you want on a per context basis.

3) access-lists are used to control the traffic allowed through the firewall, either from inside to outside or outside to inside, or outside to DMZ etc...

By default traffic is allowed to flow from a higher security interface to a lower security interface without an access-list eg inside to outside.

Attached is a link to the pix firewall configuration docs.



Community Member

Re: Firewall

Thanks for quick reply.

However i want to know the meaning of following commands

fixup protocol dns maximum-length 512

fixup protocol ftp 21

access-list acl_in permit udp host host eq domain

failover ip address state x.x.x.x


Re: Firewall

access-list acl_in permit udp host host eq domain

This is allowing udp 53 (dns) traffic from to, as long as acl_in is applied to an interface with something like "access-group acl_in in interface outside".

CreatePlease to create content