Basic Question(s)

Question

I am a recently hired Network Specialist (paid intern really) and have been tasked with figuring out how to install Sophos UTM onto a VM setup under Windows Server 2012. I have read through the installation guide on how to do that and it all seems pretty straight forward. I am however confused on where its supposed to sit on my network, and I have no one with that expertise/knowledge here to ask, so hopefully someone can be of some assistance as to what the best practice is. 
 I'm still trying to map out our network devices but so far I'm able to tell were using a Cisco ASA (5500 series I believe) router that's acting as our firewall and then it goes pretty much straight into our network. What I've read about the setup and after watching some of the "using sophos utm" videos it looks like the UTM can replace our router or at least handles a lot of the same functions, could this be a correct assessment? I am fairly certain it handles all of the firewall rules and filtering but since I'm new to this field I'm not sure if there's something else that a (edge?) router will do that the UTM cannot. 
 If it turns out my thought that it can replace the ASA is incorrect and it needs to be installed alongside it, is there typically any configuration that needs to be done to allow the UTM to sit in front of it (on the network)? Or does it not typically get placed there, instead being placed behind the ASA in the network. I ask because I've browsed through some of the config on the ASA and I'm seeing interfaces with different IPs assigned and other configurations so I want to make sure I am covering all required bases here before attempting the installation. 
 The more I look into this the farther it seems to be from my knowledge, but I would really rather exhaust all of my options before looking into getting a contractor to help/do it. 
 
 TLDR: Can the Sophos UTM replace a Cisco ASA? If so is it whats done in most cases or just possible? If it doesn't replace the ASA are there configuration changes that need to take place on the ASA for it to work with the UTM? 
 
 Thank you for any help you can provide, sorry about the novice nature of these questions, this is sort of a trial by fire position for me. 
 
 Thanks, 
 Geoff

WayneBoyles · Accepted Answer

Hi, 
 The UTM can absolutley replace the ASA - in fact it replaced mine without any problems. If you have multiple public IP addresses they are easily configured on the UTM and if you have any VLANs on the switches etc. then that's also fairly straight forward to setup. 
 To help, my original setup was: WAN -> Cisco ASA 5505 -> Cisco ISR 2801 -> Cisco Catalyst Switch with VLANs -> Network Devices. With the UTM I was able to eliminate the ASA and ISR and keep the switch in place with the VLAN configuration and have it setup as WAN -> UTM -> Switch -> Network Devices 
 I personally have my default gateway set to my Switch (which is capable of doing routing) and then have the default route on the switch going to the UTM. I found by doing this if the UTM wen't down then my routing wasn't hosed and I'm still able to access everything internally. I may be doing that incorrectly but it's working great for me. 
 Let me know if you have any specific questions regarding the replacement of the ASA and I'll be happy to help where I can!