I am trying to determine whether or not it makes sense to add a distribution set of switches as part of a ASA firewall design effort or to just bring the ASA's directly into the existing collapsed core/dist pair.

Basically, we have a site that has a collapsed core/distribution using a pair of 6500s.   All access switches are dual homed to this core/dist pair.

We need to implement a redundant ASA solution for a vendor application at this site.   On the vendor's side there will be a 3750 stack with one uplink going to ASA 1 and the other uplink going to ASA 2.   Right now we are considering a pair of 3560's on the other side of the ASA's which would then connect L3 into the core/dist pair of 6500s.   Between the internal 3750 stack and the pair of 3560's will be L3 PTP links.   The ASA's will be in transparent mode.  

I am wondering what are all the pros/cons of bringing the ASA's directly into the collapsed core/distribution?  What is the benefit of adding another L3 hop to the design with the 3560s?   If we have a L3 between the vendor's router the core/dist with the ASA's in the middle shouldn't that sufficiently satisfy the security concerns?  Below are quick sketches of the two topologies.  

Option 1:

                              --------------ASA1------------3560 dist--------------6500 core/dist-----------

LAN-------3750 stack                                       |                          |                           Core

                              --------------ASA2------------3560 dist--------------6500 core/dist-----------

Option 2:

                              ----------------ASA1---------------------6500 core/dist---------------------

LAN--------3750 stack                                                |                                       Core

                              ----------------ASA2---------------------6500 core/dist---------------------

Any thoughts are appreciated.

Chuck