I have 4 subnets/vlans on the inside network and have two ASA5555-X in HA each ASA connects to a Nexus 9K switch and a Nexus 2K connecting to the Nexus 9Ks. How do I go about configuring this on the ASA ?

is this Live or going to be Live and you are designing this ?

Not sure what is the Role of this ASA , is this DC Deployment or standard WAN / Perimeter edge ?

is nexus is going to  deployed in vPC ?  I prefer ASA not to deploy in to vPC  for some reasons, they should connect to their respected Parent device.

If the VLANs are in Nexus, they will be configured using HSRP for 4 VLAN. and you configure port-channel to ASA, ASA will have Port-channel subinterface tagged to respected VLAN.

is this make sense ? if you make small Physical and Logical diagram you can understand easily.

Yes this is for Datacenter deployment there will be WAN routers too but that's for later. right now the ASA will be the WAN edge. The Nexus is already configured in vPC. The Vlans are configured in the nexus 9ks. Do I also need HSRP between the 9Ks ? Do I have to configure 2 ports in port-channel on the ASA or just subinterfaces ? I'm currently using one link from each nexus 9k to each ASA. Please see attached drawing

1. For better resiliency suggested to have  2 Link in Port-channel

2. you can do HSRP on nexus, Look at HSRP guide lines and how to configure

3. same VLAN can be tagged to respective Port-channel sub-interface.

I have configured HSRP now. I guess my main question is I have 4 VLANs on the Nexus 9k which is the inside network. What configuration on the ASA5555-X G0/1 inside interface do I need to have to allow all 4 Vlans access ? will a static route on the Nexus 9K pointing towards the ASA inside interface IP is good enough ? 

ASA will have connected interface as Layer 3 as per my understanding your deployment, so you need to have port-channel config with subinterface associated with respected VLAN them to communicated to gateway (is this make sense ? or did i understand the requirement wrong here ?)

Yes the inside interface on the ASA is layer 3. but I'm only using one link right now not two between the ASA and the Nexus 9k switch. Do I still need the port-channel ? or can I just use sub-interfaces ? also What IP address do I configure on the ASA layer 3 inside interface ? any IP or does it need to be related to one of the vlans?

If you want more VLAN required at ASA end, the port required to be Trunk port on switch side and allow the respected VLAN allowed in the Trunk on Switch side,

On ASA side you required - small down time to re-configured same interface with sub-interface with respected vlan ( and make that LVAN in the respected Security Group)

on ASA side example :

interface gigabitethernet0/1

no shutdown

no nameif

interface gigabitethernet0/1.10

vlan 10

interface gigabitethernet0/1.20

vlan 20

switch side :

interface ethernet0/0

switchport trunk native vlan X
switchport trunk allowed vlan 10,20

This config should be same both the switches. and ASA(standby should replicate same config)

But isn't this config going to change the Layer 3 inside interface on the ASA to Layer 2 ? and also the interface on the Nexus switch facing the ASA to layer 2 as well? to my understanding your configs only allows communication between different VLANs ? I want the 4 inside VLANs on the nexus 9k to be able to reach the outside and vice versa

This may be misleading as per my post here I guess,  you can have Layer3 interface associated to that VLAN and IP address

as per the diagram, you have 1 Link connected to nexus 9K to asa (this is Layer 3 interface with p2p config)  - can you share that config. ?

You like to more Layer3 VLAN Interface on the inside with the same or different security zones to connect outside?  (this is what i am trying to give you example config)

can you clearly change that diagram as your intention of the final stage to get more clarity, please? ( so we can be in same page and easy to give you example config)

post both ASA and Nexus relevant config.

There is not much configs on the equipment for me to show you thats why i'm asking on how to configure this. I have 4 vlans/subnets on the Nexus 9Ks. 

VLAN 60 - 10.92.0.0/24 
VLAN 64 - 10.92.4.0/24 
VLAN 65 - 10.92.5.0/24 
VLAN 70 - 10.92.10.0/24

What I'm looking for is the configs that I need on the link between the Nexus 9K and the ASA firewall. Port configuration on the two ends to allow the 4 subnets access to the internet. I have already configured dynamic NAT on the firewall and configured the outside interface. Just need the interface configs between the ASA and Nexus 9K 

Ok simple config see if that works for you, you do not need to do any chages on FW in interms of Interface config.

you do below VLAN in nexus side route towards ASA , ASA route back to Nexus exitiing interface connected

VLAN 60 - 10.92.0.0/24
VLAN 64 - 10.92.4.0/24
VLAN 65 - 10.92.5.0/24
VLAN 70 - 10.92.10.0/24

Then add new above ip address space in to NAT, so they can reach internet, if you looking to inbound then you need to same NAT config.

is this make sense, rather lot changes ?