I'm hoping some can critique a very basic redundant ASA configuration. Currently, we have rackspace at our provider. The provider provides us two uplinks to their cores. I have one ASA5520 and one 3560 switch, so both uplinks (fiber) are on the same switch. I would like to introduce another ASA and another 3560 (or 3750). I envision that one provider uplink will go into one switch, and the other uplink will go to our new switch. I can simply run spanning tree and will not need a routing protocol. We do not have an internet router. The outside interface of our ASA is placed into the same VLAN as the provider uplinks, and we "go out" from there. Our provider routes us a netblock to our ASA outside interface IP. I then NAT to our internal servers which are also plugged into the same switch, and VLAN appropriately. You can see we have all our eggs in one basket with the switch and ASA.
I can only introduce two more devices into our rack, so one more switch and one more ASA is all I have to work with. Please see the attached pic to see if I've thought this out.
1. I am confused if the two switches need to be connected together via an etherchannel and HSRP or anything like that. The ASA is the default gateway for all the devices on the network, so the switches really aren't routing.
2. Our current ASA is running some older 7.2 code. I obviously want to get it up to the 8.X series. This may have to be a phased implementation, since this is a production site and my downtimes can't be long. Is it difficult to bring a single, standalone ASA into an Active/Standby configuration with an entirely new ASA? I know they have to be the same hardware config, code rev, etc.
I've done one of these before, but it was from scratch and I had the luxury of time.
The goal here (obviously) is to keep our servers available in the event we lose one ASA or one switch. Please look at the pic and offer any suggestions. Thanks very much.