Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Static commands with failover...


We are converting our PIX515 firewall to two PIX515e's with failover.

I just need confirmation on an doc I read regarding static commands and the failover method.

Is it true that with a failover configuration I need to add a static line for every protocol or port used, with the static command and acl command?

If I intend to pass www, smtp, and ftp on the following example, do I need to do the following conversions?

Example: Present configuration;

static (inside,outside) netmask 0 0

Would this line now need 3 separate entries? Along with the acl commands?

static (inside,outside) tcp interface 80 80

static (inside,outside) tcp interface 25 25

static (inside,outside) tcp interface 21 21

If so, should the ip here be the external or internal?



Re: Static commands with failover...

Nothing needs to be changed with your config in regards to IPs, nat, global etc.

Just add the failover config.

Keep the static command as you have it in your current config. If you don't add ports it will create a static for all IP, but if you only want the static rule for a specific port(s), use ports.

Both work (all IP or specific ports), ports only narrow the static rule down and is good for redirection (ie. different ports going to different internal hosts but using one NAT IP - eg. NAT IP x.x.x.x port telnet going to host A and NAT IP x.x.x.x port smtp going to host B).

Use ports if you are using redirection, otherwise go with the standard static as per your current statics (using an acl to lock it down).

Failover config example:

ip address outside x.x.x.67

ip address inside

ip address DMZ1

ip address stateful


failover poll 15

failover ip address outside x.x.x.68

failover ip address inside

failover ip address DMZ1

failover ip address stateful

failover link stateful

LAN failover config would be sligthly different.

Hope it helps.



Re: Static commands with failover...

Thank you Steve, really appreciate you guys and this forum.


CreatePlease to create content