Link to home
Start Free TrialLog in
Avatar of i_harfoush
i_harfoushFlag for Kuwait

asked on

Pix515e and sonicwall

I have come to a company
where they place 2 firewalls connected to each other,
one is pix515e and sonicwall tz170, the system admin that he hand over me told me this for more security.
I found that there is double nating happeneing,from sonicwall to pix and from pix to wan,
I tried to remove sonicwall ,but there is a lot of features inside it, like anti spam ,anti virus,content filter........aslo if I remove pix (pix is the most trusted firewall) and i dont need Dmz in the middle of the 2 firewall because i can create it with the sonicwall with the third interface,
anybody can advise to keep them both or to remove pix?
drawing1-1-.JPG
Avatar of Les Moore
Les Moore
Flag of United States of America image

Is the PIX providing any other services such as remote access VPN that you would lose if you remove it?
If it ain't broke, don't fix it. If everything is working the way the business needs it to be, leave it alone for now.
Knowing that the PIX is nearing end-of-life, you might start planning for a replacement. The SonicWall is providing some features not available on the PIX, and would probably be adequate to support everthing all by itself, so your replacement plans may be to replace them both with another combination of appliances, or a single device that does it all. Cisco gives you the option to use best-of-breed products for each function instead of trying to cram them all in to one box where you get "adequate" and not "best" solution for your business needs.
Avatar of i_harfoush

ASKER

Sir,
I am not using the pix for vpn..only the nating...and access rules
so u advise me to keep the current setup Sir,
Let's look at pros and cons of removing the PIX out of the picture:

PRO:
 - removes a level of complexity that eases troubleshooting problems (potential to save manpower $)
 - removes a device that is using electricity (save $ on power bill)
 - removes a device that is nearing end-of-life from the vendor (no more upgrades or vendor support)
 - removes an additional point of failure

CON:
 - any change requires careful planning and takes time (manpower costs $)
 - You are left with "adequate" security with the Sonicwall (are you comfortable with that)
 - PIX is generally a better, more trusted, firewall than Sonicwall and will last you a couple more years probably
 - creates a single point of failure scenario

Bottom line is that you have to make the decision based on many factors, not just an opinion posted in a forum. I have no knowledge of the business, regulatory requirements on the business, amount of data, budget constraints, your level of expertise with any of the equipment, etc. I've just posted some things to think about in your decision making process.

Mr irm,
is double nating bad for networking?or something i can ignore?
can I leave the pulbic servers nated only by pix  and their defualt gateway keep it pix ,and the clients using sonicwall for content filtring ,antispam?
Double-nat is not necessarily bad. If it works, ignore it.
Yes, you can leave the public servers natted only by the PIX and use the Sonicwall for the content filtering and antispam for end users.
Mr, Irm, can you comment on this drawing?
drawing-final.JPG
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
so it s recommeded by you MR. Irm?
ok
What I recommend is that you use your own expertise, and your own knowledge of your business requirements, assess the information I have provided, and make your own recommendations to your superiors.
You will not corner me into saying "yes, this is what I recommend" because I do not have enough information on why it was built the way it was in the first place. There may have been good reasons for it.