sub-interfaces means VLANs, so the switch connected to the DMZ interface would need to be re-configured as an 802.1q trunk, trunking the VLANs you then assign to the sub-interfaces.

To convert, remove the IP from the physical interface and create the sub-interface. Note the VLAN command.

interface gigabitethernet0/1

no ip address 10.1.1.1 255.255.255.0

interface gigabitethernet0/1.1

vlan 101

nameif dmz1

security-level 50

ip address 10.1.1.1 255.255.255.0

no shutdown

thank you for your help but do i need to do that only with CLI ??

i'd like to know if hosts, networks and all my rules will be automatically applied on the new sub-interface which will have the nameif and the same IP.

Sorry, I only ever use CLI.

I would expect hosts and object-groups to be retained but you will probably need to reapply ACL, NAT and static routes.

thank you for your reply,

but is there any relation between hosts and groups with the interface they belong, when i read the configuration i don't see any ASDM location or PDM as before so when i create a host by CLI, how do the PIX affect this one to an interface ?

ASDM and PDM location are calculated and added to the config automatically when you start ADSM/PDM. You can remove them from the config, and it will just recreate them next time.

Hosts and object-groups in CLI are not tied to any interface but I think also ASDM/PDM calculates the interface from looking at the routing table.

So no worries.

ok Grant thanks for your help !!

I think i will do it on next saturday is it possible to exchange by email what i have to do for all my modification ??