Redundancy with 2 ASA and 2 core switches

Will the ASAs be connected directly to each core switch, so ASA1 to core1 and ASA2 to core2, for example?

In a lot of the deployments I've seen/implemented the ASAs wouldn't be connected directly to the core switches.  Instead, a pair of switches would be used between the ASAs and the cores to provide redundant paths between them all.  This would allow ASA1 to see core2 without having to pass through core1, etc, and therefore removes the reliance on the connected core being up.  That in-turn means you could kill one core and not upset internet traffic going through the primary ASA, for example.

It really depends on more than just providing redundancy in that you need to consider how many internet circuits you have and how you want traffic to be routed normally and in the event of a failure.

I forgot to attach the snapshot of the network diagram that I have in mind. See pic. Thx

You need to do some routing tricks to make that work nicely, unless the two core switches are stacked or VSS and the ASAs are connected via Etherchannels.

The core switches will be configured as HSRP. Are they any examples of this scenario out there?

I understand, but what I'm saying is that IF you want to connect it all in this way you'll need to attack it in a slightly different way.

As your diagram shows, the ASAs will have a link to each core.  The problem here is that unless you use Etherchannels you'll have two separate routed interfaces per ASA, so you'll have to play with routing to get failover/redundancy to work nicely.  If you do use Etherchannels you'll need the cores to be stacked or configured in a VSS.

Instead of connecting each ASA directly to each core, use two switches instead.  It simplifies things massively and adds redundancy.  This lets you use HSRP and you can configure your ASAs in either active/active, active/passive or active/standby HA.

I did not think of that. So the switches between the ASA and the cores are just layer 2 switches and they don't do hsrp. Correct?
All the ports connected to those 2 switches are access ports, except the trunk between them. Correct?
Can those 2 switches be just 1 switch?

Yes everything between cores and ASAs is one single VLAN, including the link between switches (not cores).

You need 2 switches to mitigate the single point of failure.

The problem is I have to purchase 2 new switches. I am just wondering if it is easier to just stack the 2 cores.

That's a good idea on its own, but it'll only help with ASA redundancy if you can configure Etherchannels on them.  Which ASAs do you have?

5515x

I am lost when you talk about etherchannel on the ASAs. Can you elaborate on that? Thx

I see. So for ASA1, for example, the links to sw1 and sw2 will be setup as etherchannel. So all the connections between the ASA1 and the core switches are trunk and the default gateway for the core switches will be the IP address that is assigned to both ASA1 and ASA2. Correct?

I understand HSRP but I always get confused when it comes to the links going to the outside world, like should I use layer 2 trunk or layer 3 static routes or dynamic.