diff --git a/build_num b/build_num
index 1bcab8a09..8955a3cf3 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 2395
+#define BUILD_NUM 2396
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 40fce230c..fcdc3d149 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,11 @@
 2010-01-20  vadim  <vadim@vk.crocodile.org>
 
+	* Helper.cpp (Helper::findInterfaceByNetzone): fixes #1118
+	"fwb_pix uses wrong interface compiling the second cluster
+	member".  NAT compiler for PIX failed to find interface with
+	correct network zone if interface was a child of another
+	interface, e.g. vlan subinterface.
+
 	* clusterMembersDialog.cpp (clusterMembersDialog::getSelectedMembers):
 	fixes #1117 "failover group member editor loses interfaces". If
 	failover group included vlan interfaces of the member firewalls,
diff --git a/src/cisco_lib/Helper.cpp b/src/cisco_lib/Helper.cpp
index 9949b21c8..a3b3c3b47 100644
--- a/src/cisco_lib/Helper.cpp
+++ b/src/cisco_lib/Helper.cpp
@@ -117,19 +117,23 @@ int  Helper::findInterfaceByNetzone(Address *obj)
 
 int  Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
 {
-    Firewall *fw=compiler->fw;
+    Firewall *fw = compiler->fw;
     map<int,FWObject*> zones;
-    FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
-    for ( ; i!=i.end(); ++i)
+    list<FWObject*> l2 = fw->getByTypeDeep(Interface::TYPENAME);
+    for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
     {
+        Interface *iface = Interface::cast(*i);
+        if (iface->isDedicatedFailover()) continue;
+        if (iface->isUnprotected()) continue;
+
         // NOTE: "network_zone" is globally unique string ID
         int netzone_id =
-            FWObjectDatabase::getIntId((*i)->getStr("network_zone"));
+            FWObjectDatabase::getIntId(iface->getStr("network_zone"));
 
 #if 0
         FWObject *netzone = fw->getRoot()->findInIndex(netzone_id);
         cerr << "netzone_id=" << netzone_id
-             << "  " << (*i)->getStr("network_zone")
+             << "  " << iface->getStr("network_zone")
              << "  " << netzone->getName()
              << endl;
 #endif
@@ -148,11 +152,11 @@ int  Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
                 if (addr==NULL)
                 {
                     if ((*j)->getId()==FWObjectDatabase::ANY_ADDRESS_ID)
-                        return (*i)->getId(); // id of the interface
+                        return iface->getId(); // id of the interface
                 } else
                 {
                     if (Address::cast(*j)->belongs(*addr))
-                        zones[(*i)->getId()] = netzone;
+                        zones[iface->getId()] = netzone;
                 }
             }
         }
diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp
index d092aede4..bd2ce9d52 100644
--- a/src/cisco_lib/NATCompiler_pix.cpp
+++ b/src/cisco_lib/NATCompiler_pix.cpp
@@ -440,22 +440,27 @@ bool NATCompiler_pix::VerifyRules::processNext()
 bool NATCompiler_pix::AssignInterface::processNext()
 {
     Helper helper(compiler);
-    NATRule *rule=getNext(); if (rule==NULL) return false;
+    NATRule *rule = getNext(); if (rule==NULL) return false;
 
-    Address  *a1=NULL;
-    Address  *a2=NULL;
+    Address  *a1 = NULL;
+    Address  *a2 = NULL;
 
-    if (rule->getRuleType()==NATRule::SNAT) {
-	a1=compiler->getFirstOSrc(rule);
-	a2=compiler->getFirstTSrc(rule);
+    if (rule->getRuleType()==NATRule::SNAT)
+    {
+	a1 = compiler->getFirstOSrc(rule);
+	a2 = compiler->getFirstTSrc(rule);
     }
-    if (rule->getRuleType()==NATRule::DNAT) {
-	a1=compiler->getFirstODst(rule);
-	a2=compiler->getFirstTDst(rule);
+
+    if (rule->getRuleType()==NATRule::DNAT)
+    {
+	a1 = compiler->getFirstODst(rule);
+	a2 = compiler->getFirstTDst(rule);
     }
-    if (rule->getRuleType()==NATRule::NONAT) {
-	a1=compiler->getFirstOSrc(rule);
-	a2=compiler->getFirstODst(rule);
+
+    if (rule->getRuleType()==NATRule::NONAT)
+    {
+	a1 = compiler->getFirstOSrc(rule);
+	a2 = compiler->getFirstODst(rule);
     }
 
     assert(a1!=NULL && a2!=NULL);
@@ -463,16 +468,16 @@ bool NATCompiler_pix::AssignInterface::processNext()
     rule->setInt("nat_iface_orig", helper.findInterfaceByNetzone(a1));
     rule->setInt("nat_iface_trn",  helper.findInterfaceByNetzone(a2));
 
-    if ( rule->getInt("nat_iface_orig")==-1 ) 
+    if ( rule->getInt("nat_iface_orig")==-1 )
     {
 	compiler->abort(
             rule, 
-                "Object '" + a1->getName() + 
-                "' does not belong to any known network zone.");
+            "Object '" + a1->getName() + 
+            "' does not belong to any known network zone.");
         return true;
     }
 
-    if ( rule->getInt("nat_iface_trn")==-1 ) 
+    if ( rule->getInt("nat_iface_trn")==-1 )
     {
 	compiler->abort(
             rule, 
diff --git a/test/pix/cluster-tests.fwb b/test/pix/cluster-tests.fwb
index a68571c0d..3c7d2a01c 100644
--- a/test/pix/cluster-tests.fwb
+++ b/test/pix/cluster-tests.fwb
@@ -282,7 +282,7 @@
   </Library>
   <Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
     <ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
-      <Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1263972639" platform="pix" name="cluster1" comment="" ro="False">
+      <Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1264013073" platform="pix" name="cluster1" comment="" ro="False">
         <NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -950,7 +950,7 @@
           <Option name="xlate_ss">0</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id2930X39486" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="1261535268" lastModified="1258414396" platform="pix" version="7.0" name="pix2" comment="  " ro="False">
+      <Firewall id="id2930X39486" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="1261535268" lastModified="1264013073" platform="pix" version="7.0" name="pix2" comment="  " ro="False">
         <NAT id="id2952X39486" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RuleSetOptions/>
         </NAT>
@@ -973,7 +973,7 @@
             <Option name="type">ethernet</Option>
           </InterfaceOptions>
           <Interface id="id2818X95537" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0.101" comment="" ro="False">
-            <IPv4 id="id2826X97641" name="pix2:Ethernet0:ip" comment="" ro="False" address="192.0.2.254" netmask="255.255.255.0"/>
+            <IPv4 id="id2826X97641" name="pix2:Ethernet0:Ethernet0.101:ip" comment="" ro="False" address="192.0.2.254" netmask="255.255.255.0"/>
             <InterfaceOptions>
               <Option name="bonding_policy"></Option>
               <Option name="bondng_driver_options"></Option>