Cisco ASA 5506-X next-gen firewall with FirePOWER Services. There have been questions regarding the ASA 5506-X not supporting L2 switch ports and what alternatives to consider to provide this support.

For those instances where customers require L2 switching capabilities with the ASA5506-X, the following options are available:

• Cisco recommends an external switch solution through the Cisco Small Business group: an 8-port model (SG110D-08) or a 5-port model (SG110D-05) unmanaged gigabit switch. Both have been tested for compatibility with the ASA 5506-X. For more information about the 110 Series Unmanaged Switches, please refer to the attached document, orvisit this site.
  
  
• For those customers looking for a firewall without FirePOWER Services, the ASA 5505 offers integrated L2 switching to meet this requirement.  There are no plans at this time to end of sale the ASA 5505 and continues to support the full-featured firewall for small business, branch and enterprise teleworker environments.

The ASA 5506-X brings Cisco’s threat-protection capability to small to midsize businesses and distributed enterprises.  Added features include:

• The same next generation firewall capabilities as our mid- and high-range ASA with FirePOWER Services models which include Application Visibility and Control (AVC), Advanced Malware Protection (AMP), Next Gen Intrusion Prevention System (NGIPS), and URL filtering applications via subscription
  
  
• Higher performance and increased throughput (more than 2.5x firewall throughput)
  
  
• A variety of form factors including wired and wireless models, a ruggedized version for industrial control deployments as well as two high performance rack mounts.
  
  
• On-box or centralized management for deployment flexibility
  
  
• Hardware security and anti-counterfeiting trust anchor technologies
  
  
• VPN with enhanced mobility support

Answering your question regarding NAT, I would say that there is no such hard and fast requirement of NAT within internal network. I depends upon your choice if you want to mask your real IP, you can sure go ahead and do it.

It is mandatory in Case, when you need to go to internet.

Now regarding security level, The internet facing interface must need to kept at lowest security level, usually it is kept 0. Rest of interfaces can be kept at same security but if you need to allow a command "same-security-traffic permit inter-interface command"

Now to add to this statement, you can also get it done by using acls but, 

 then if you have an interface with an ACL and another interface without an ACL and you want to pass traffic between the two interfaces, then the interface without an ACL will rely on the security level while the interface with the ACL configured will rely on the ACL entries configured.

The security-level interface becomes irrelevant if an ACL is applied to filter traffic on that particular interface. Thus, traffic flow that is not permitted in the ACL will be dropped due to the "implicit deny" at the end of the ACL.

--

Please remember to select a correct answer and rate helpful posts