Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

DMZ Configuration in Active-Active Mode


I'm trying to configure DMZ on my Active-Active PIX units; when piblishing my web server on the first context things work fine and the web becomes accessible using the published IP.. but when I try to apply the same static command on the second context (using the same IP I used on the other context) the PIX refuses publishing the web and a static overlap error message appears. If I publish the web server on this context using a different public IP, the web becomes totally unaccessible neither using the old IP nor using the second one.

Can somebody assist how should I deal with this problem? I need to be able to configure the same command on both contexts and using one public IP?




Re: DMZ Configuration in Active-Active Mode

Command statements for the static command cannot contain overlapping IP addresses. When IP addresses are overlapped, PIX Firewall experiences service denials without sending denial statements to syslog. [CSCdp22217] In this caveat report, an FTP session was attempted but was denied without a denial message sent to syslog.

For example, the following command statements do not work:

nat (inside) 0

static (inside,outside) netmask

static (inside,perim1) netmask

In this example, the nat 0 command statement enables the identity feature so that any host on the network can start connections to a lower security level interface. The first static command statement lets all hosts on the inside network be visible on the outside network. The second static statement attempts to use a subset of the address range on another interface. Because is a part of the range of addresses, the addresses overlap.

CreatePlease to create content