P.S. I guess ASAv is the term used in Azure/AWS environments when you just mount a software image version, and you are not dealing with the hardware itself?!!, I didn't mean that here, I meant ASA logical devices

1) So we can't create two or three Logical devices on the same SM-40 for example?

so the ability to have multiple ASAs is not license related, it's module related?

2) Could you also confirm that we have this limitation of Active/Active on Logical Devices the same way as ASAv?

the ASAv does not support the following ASA features:

• Clustering
• Multiple context mode
• Active/Active failover
• EtherChannels
• Shared AnyConnect Premium Licenses

2) Could you also confirm that we have this limitation of Active/Active on Logical Devices the same way as ASAv?

ACTIVE/ ACTIVE means multi-context, if ASAv does not support multi-context, there is no A/A - its only Active-Standby.

My mistake I didn't really mean ASAv from the beginning, I meant Logical Devices

I don't think a logical device has any of those limitations?!

Correct - the ability to run multiple ASA logical devices on a given Firepower 9300 is constrained to one per SM. You can have 1, 2 or 3 SMs in a Firepower 9300 chassis.

Any ASA logical device running on a Firepower 9300 can be multiple context, subject to ASA context licensing.

Any ASA logical devices running on a Firepower 9300 chassis can be clustered - both intra chassis (assuming you have multiple SMs) and inter-chassis.

Note that FTD logical devices on Firepower 9300 chassis are not the same. They don't have the concept of multi context. They have multi instance. You can run multi instance FTD on a Firepower 9300 with a single SM subject to hardware (CPU cores and memory) constraints.

For more detail please refer to Cisco Live presentation BRKSEC-3035 from Cisco Live Europe 2020.

That's a hell of a presentation and I need to go through the documentations as well but I haven't found time yet, thank you

If you can help with how do we aggregate the outside interface on Firepower 9300 Cluster(two chassis ECMP chosen), and obviously it can't be a trunk of both inside and outside

What type of a device(aggregator) do I need on the outside interface since we NAT usually on the outside interface of the ASA, how can we put another L3 interface on the other end before it goes to the internet, so we're gonna NAT two times? once at the ASA cluster, once at the Aggregator(whether a switch or a router)?

Or we don't NAT at all at the ASA, we just NAT on the last hop(Router)?!

Is this for real world or theoretical use case?

Generally when one is looking at over half a million US$ setup like you've diagrammed there will be a high level and low level design prepared by the implementing team. It wouldn't be something designed by asking a couple of questions in a public forum.

Good information provided by the user, But question are you the one who going to deploy ? is this green field or brownfield deployment?

it's a brownfield

and please answer my questions, it doesn't matter that it's a real case scenario or not, it doesn't matter that we have unlimited budget, this forum is for people who have technical questions, and everything in technology has an an answer to it, thank you so much guys for sharing your infield experience as I can't find these in textbooks

but let me rephrase my questions, 

1) Where does the NAT typically take place in productions that have both firewall and a router(who is a DMVPN hub)

• Only at the Firewall(behind a router) on Number one, although I don't think this can be possible
• Both being nat-ed at the Firewall and the Router(twice) Number 1 and 2
• Only at the router(number 2)

2) Generally in most productions out there, router is behind the firewall or firewall is behind the router? I found it would be highly inconvenient in lotta of ways, to place the firewall as the last node, specially if you are a DMVPN hub.

is placing the router as the last node can compromise the security at all?

3) How do we aggregate the outside interface of the two chassis(cluster ECMP), is there a special device, or you can use either a Router(ASR 9000 nVR cluster) or a L3 interface switch SVL(Stackwise virtual)?