Pix515e and sonicwall

I have come to a company
where they place 2 firewalls connected to each other,
one is pix515e and sonicwall tz170, the system admin that he hand over me told me this for more security.
I found that there is double nating happeneing,from sonicwall to pix and from pix to wan,
I tried to remove sonicwall ,but there is a lot of features inside it, like anti spam ,anti virus,content filter........aslo if I remove pix (pix is the most trusted firewall) and i dont need Dmz in the middle of the 2 firewall because i can create it with the sonicwall with the third interface,
anybody can advise to keep them both or to remove pix?
drawing1-1-.JPG
i_harfoushAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
This looks much more like what I would expect to see and what I would recommend.
0
 
lrmooreCommented:
Is the PIX providing any other services such as remote access VPN that you would lose if you remove it?
If it ain't broke, don't fix it. If everything is working the way the business needs it to be, leave it alone for now.
Knowing that the PIX is nearing end-of-life, you might start planning for a replacement. The SonicWall is providing some features not available on the PIX, and would probably be adequate to support everthing all by itself, so your replacement plans may be to replace them both with another combination of appliances, or a single device that does it all. Cisco gives you the option to use best-of-breed products for each function instead of trying to cram them all in to one box where you get "adequate" and not "best" solution for your business needs.
0
 
i_harfoushAuthor Commented:
Sir,
I am not using the pix for vpn..only the nating...and access rules
so u advise me to keep the current setup Sir,
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
lrmooreCommented:
Let's look at pros and cons of removing the PIX out of the picture:

PRO:
 - removes a level of complexity that eases troubleshooting problems (potential to save manpower $)
 - removes a device that is using electricity (save $ on power bill)
 - removes a device that is nearing end-of-life from the vendor (no more upgrades or vendor support)
 - removes an additional point of failure

CON:
 - any change requires careful planning and takes time (manpower costs $)
 - You are left with "adequate" security with the Sonicwall (are you comfortable with that)
 - PIX is generally a better, more trusted, firewall than Sonicwall and will last you a couple more years probably
 - creates a single point of failure scenario

Bottom line is that you have to make the decision based on many factors, not just an opinion posted in a forum. I have no knowledge of the business, regulatory requirements on the business, amount of data, budget constraints, your level of expertise with any of the equipment, etc. I've just posted some things to think about in your decision making process.

0
 
i_harfoushAuthor Commented:
Mr irm,
is double nating bad for networking?or something i can ignore?
0
 
i_harfoushAuthor Commented:
can I leave the pulbic servers nated only by pix  and their defualt gateway keep it pix ,and the clients using sonicwall for content filtring ,antispam?
0
 
lrmooreCommented:
Double-nat is not necessarily bad. If it works, ignore it.
Yes, you can leave the public servers natted only by the PIX and use the Sonicwall for the content filtering and antispam for end users.
0
 
i_harfoushAuthor Commented:
Mr, Irm, can you comment on this drawing?
drawing-final.JPG
0
 
i_harfoushAuthor Commented:
so it s recommeded by you MR. Irm?
0
 
i_harfoushAuthor Commented:
ok
0
 
lrmooreCommented:
What I recommend is that you use your own expertise, and your own knowledge of your business requirements, assess the information I have provided, and make your own recommendations to your superiors.
You will not corner me into saying "yes, this is what I recommend" because I do not have enough information on why it was built the way it was in the first place. There may have been good reasons for it.
0
All Courses

From novice to tech pro — start learning today.