Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Two PIX 525 in Active/Active mode

Dear all,

I have two pix 525 firewalls ( one with UR license and the second one with FO-AA license) , firewalls are running in active/active mode . this set of Firewall is connected to a perimeter router connected to Internet , My question is how do i configure the perimeter router to talk to both firewalls at the same time ?

i would be very grateful if you could provide me with sample configurations and URLs showing how to configure the perimeter router plus the two pix in active/active mode .

Thanks a lot for your reply and your help.



Community Member

Re: Two PIX 525 in Active/Active mode


Thanks for your reply ,

i already read this doc and does not not cover release 7.0 , it is related to Active/Standby mode , Not to active/active mode that i am asking about and how the communication with the perimeter or Internet router will be plus Sample Configuration OF the perimeter Router to deal with such Scenario.

Hope you get my point



Community Member

Re: Two PIX 525 in Active/Active mode

Hi Khaled,

I'd suggest you doing one thing regarding the routing; since the PIX Active-Active setup doesn't assign a shared virtual IP between the interfaces (as HSRP for example), you can configure your default route to be through the IP of the first failover group and configure another route with a higher metric number to go through the IP of the other failover group... here's an example:

Suppose you have 2 failover groups with the outside interface shared between these groups... failover group 1 will be active on the first unit where group 2 will be passive on this unit. Things will be exactly the opposite on the second unit (i.e. group 1 will be passive and group 2 will be active). The active IP of the outside interface on PIX 1 is and it's on PIX 2. Now, configure your default route to be through, and do a second route through with a higher metric; this will cause all traffic to go through unless there's a failure on this unit. In case you need to use your PIX to load balance traffic, you can configure half of your hosts to go through one IP and the other half to use the other GW, this also applies if you have different internet links. Hope this helps.

For info on Active-Active configuration, browse to the following link:

Best Regards,


CreatePlease to create content