Hello MHM,

I edited my post and added a diagram.  Please take a look and let me know if you have any questions.

Mark

what is vlan between FTD and SW and between FTD and core SW 
MHM

Both are trunks with VLAN 16 and VLAN 254.

but the FTD is transparent mode and the VLAN need to be different 
the INside VLANx the OUTside VLANy
the FTD change the NAT tag when frame pass through the FTD 
I think this make loop in your network. 
MHM

It is running in transparent mode.. there is no NAT running on the FTD.  I configured the interfaces in the following manner.  

I know friend you already reply to my Q 
but that wrong 
you need to specify the VLAN different 
 

Ok, so let me see if I understand what you are saying.

My understand is that one of the benefits of using FTD in transparent mode is that you can insert it into the network without having to make changes to your current network.

Are you saying I need to change the vlan on the INSIDE switch to a different VLAN or just from the INSIDE/OUTSIDE interface on the FTD?  I'm not quite following you here.  If I have to make changes to my inside network switches then this isn't a good solution.

@MHM Cisco World is correct here, you need to decide which interface goes to the building and which goes towards core and remove then on the Building interface you have only the VLANs specific for the building and remove the VLAN that is for the core.  Then do the opposite for the interface connected to core, remove the building VLANs and keep the core VLANs.

I'm not following what you are saying here... I need both VLANs going to the core and to the building.  VLAN 16 is my data for the building and VLAN 254 is my management VLAN.

You dont need to make changes to the IP subnet setup is what is meant with not needing to make changes.  There does need to be some L2 changes, but that is minor compaired to having to setup new subnets.

OK so if you need both then you would need separate VLANs for each on the building side.

for example.  If VLAN 16 (data) and VLAN 254 (MGMT) are in the core you would need to "map" them to separate VLANs on the building side, lets say VLAN 15 (data) and VLAN 253 (MGMT) for this example.  This is done by assigning each interface a separate VLAN but binding them to the same BVI interface.

So on core switch side of the FTD you would have VLAN 16 and VLAN 254, then on the building side you would have VLAN 15 and VLAN 253.

Ok, so if I am understanding you correctly, I'd leave the following as is since I already have interface vlans for 16 and 254 bound to the BVI and e1/1 (Outside) is set as a trunk with vlan 16, 254 coming from the CORE.

On the FTD I'd add interface vlans for 15 and 253, then add those to the BVI.  Also make sure to change e1/8 (Inside) from trunk with vlan 16 and 254 to trunk with vlan 15,253.  I assume I'd have to change the trunk at the building switch to allow 15 and 253 and then change the ports on the switch to access for 15 or 253 respectively.  Am I missing anything?  So the FTD would map the vlans correctly within the BVI based on the subnet?

you can use any VLAN in trunk between the AccessSW and FTD 
but you must use one BVI for each two VLAN 
i.e. VLAN16 and VLAN15 use BVI1 
VLAN254 and VLAN253 use BVI2

here the Access SW send frame tag with VLAN15 and FTD remove this tag (after inspect) and tag again with VLAN16 and forward it to CoreSW

MHM

Ok, this make sense now.   I'll give this a try and let you know the results.