Best method for replacing existing ASA 5505 firewalls?

Question

I have two offices, both with Cisco ASA 5505 firewalls with a VPN linking the two offices. Our main office is 45 staff while our smaller office has limited personnel use (sporadically occupied during week) and serves as our backup DR site. Firewall policies on the ASA's are pretty straightforward. 
 I have purchased an XG 210 for the main office and an XG 115 for the small office. Both have Enterprise Protect. Initially, I just want to replicate what the ASAs are doing and then I'll expand into the additional features of the XG firewalls as I learn more about their capabilities. 
 My question is on initial deployment. I can have some flexibility with our small office because I can just let staff know to work in the main office during the migration. I have a bigger concern about backup replication to the remote office so want to minimize the downtime of the site-to-site VPN. 
 I'm looking for suggestions on deployment. I figure I'll start with the small office during the work week, get the XG 115 setup there, recreate the site-to-site VPN between the two locations so backups can then occur again, and then over the weekend, I'll use the experience I gained from the XG 115 install to do the XG 210 in our main office. 
 1) Does this sound like a reasonable migration plan? 
 2) Are there any issues (or guides) to setting up a site-to-site IPSEC VPN between Sophos XG and Cisco ASA 5505?

FloSupport · Accepted Answer

Hi Greg, 
 Welcome to Sophos! 
 In regards to your migration, I would actually suggest a different approach to this. If you can schedule enough downtime on the weekend, I would instead recommend doing a complete XG to XG migration. You would be able to leave the existing Cisco ASA tunnel in place, while you worked on the configuration and migration of the XGs and getting them setup to test. It may not be worth the time of troubleshooting if the tunnel migration between the ASA and the XG do not go smoothly, since you are going to completely migrate both sites anyways. 
 With an XG to XG VPN tunnel, you have similar default IPsec policies to utilize, and also have 2 other tunnel options (RED and SSL) instead of IPsec since they are both XG's. You would then be able to test all 3 of the tunnel types to find out which option suits your administrative needs. 
 Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key 
 Sophos XG Firewall: How to configure Site-to-Site RED Tunnels 
 Sophos Firewall: How to set up a Site-to-Site SSL VPN 
 Regards, 
 FloSupport | Community Support Engineer

FloSupport · Answer

Hey Greg Francis 
 In that case, you might not have the luxury to have both in place at the same time (Test LAN's on both sites, multiple external IPs). However, i'd still advise performing the migration completely. Please reach out to me via thread or PM if you still had any further questions. 
 Also I forgot to link our KB article regarding our recommended settings for IPsec profiles , if you decide to go with that method of a VPN tunnel. 
 Best, 
 FloSupport | Community Support Engineer