i have two 6513 core switches , wanted to connect to ASA.. Now these devices can be connected by two ways
1) One cable from each 6513switch , going to ASA ( My question over here two ports on ASA can be given IP address of same segment)
2) One cable from each 6513switch going to L2-VLAN of some 3750switch and from that same L2-VLAN one cable connects to ASA. (But then this 3750 switch can be single point of failure in the network)
6500s - sw1 & sw2
ASAs - asa1 & as2
connect asa1 to sw1
connect asa2 to sw2
it is recommended thatr you have a dedicated vlan for this connectivity ie no end devices should be in this vlan. Obviously this vlan needs to be allowed on the trunk link between the 2 6500 switches. This should run HSRP on the 6500s and the firewall uses the HSRP VIP to reach the networks off the 6500.
you now have redundnacy for your firewalls ie. lets assume that asa1 is active, so traffic goes via sw1 to asa1. Note that if the packet arrives at sw1 destined for the firewall then it is simply switched across the L2 link to sw1 and then to asa1.
1) asa1 fails and asa 2 becomes active. Now any traffic arriving at sw1 is simply switched across the L2 trunk to sw2 and sent to asa2 (which is now the active firewall). Any traffic arriving on sw2 is simply sent to asa2.
2) sw1 fails. If sw1 fails the asa will failover to asa2 and same as 1) except no traffic will be arriving on sw1
3) connection between sw1 and asa1 fails. As long as you are monitoring the inside interface of asa1 then again asa1 fails over to asa2 and traffic flows as per 1)
4) Both switches fail - you then have a lot more problems to worry about than your firewalls