Let me be honest and open with you on this, in PIX/ASA version 7.x theres still no real Active-Active setup (one simple justification to this is that you cant configure the same NAT configuration on the different contexts, etc), although I heard this will change in version 7.2 which is going to be released soon but this is still not the case. So, I dont see any real added-value from complicating your network with such a setup, but instead you can just deploy your FW cluster in Active-Passive and thats it. Now back to your points:
1.You can have on your L3 switch 2 statistic routes for example with different metrics pointing to the different internal interfaces of your ASA units. You shouldnt worry about the traffic back since the 2 ASA units will know the route back and in terms of session information they share the state table and your session should be replicated between the 2 units. I didnt try this but theoretically it should work.
2.Usually a L2 switch is deployed in the perimeter subnet (i.e. between the router and the perimeter FW which is in this case your ASA cluster). L3 switches are needed to configure VLANs and do routing from within the same switch between them and I dont think you need this on your external subnet, unless you have a real need for having a L3 switch in the outside subnet, just go with deploying a L2 switch in between your router and ASA cluster.
3.To have you inbound internet traffic be balanced between the 2 ASA units, you probably need a load-balancer on which you can configure a VIP. In turn the Balancer will be redirecting the traffic between the 2 different external IP addresses of your ASA units in a round-robin basis or on whichever load-balancing algorithm the Balancer has, this is usually configurable.
Hope this helps, and please let me know if you still have any questions.
1. Well, I'll tell you what happened with me from my previous experience.. I had a similar setup as yours and I managed to have the same NAT on both FW contexts. When I tried to configure the same DMZ out of the 2 firewalls, I was receiving errors regarding static overlap with the other security context. When I consulted with Cisco at that time, they confirmed to me that the main idea behind Active-Active in version 7.0 is to do load balancing for 2 separate subnets and not the same internal subnet.
Now on your router, yes since the external interfaces of your ASA devices will have 2 different IP addresses then either you need another layer to create a VIP and route all the traffic to this VIP or you will need to have different static routes to the 2 outside interfaces of the ASA devices.
2. Yes, theoritically since the 2 units share state info between them then you should not have a problem. Again, I didnt test that personally and I'm honestly concerned that this might be a limitation between the different contexts.
3. I'm not sure but as far as I know is that the 3750 is a normal switch and switches usually cant fo load balancing. For this you need a load balancer, something like CSS product I guess.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :