I'm currently in the process of migrating from a single PIX515e to 2 x ASA5540s which need to be configured as active/active failover pair.  The ASAs will each have a GigE connection to a 6506 switch (Distribution switches) with Sup720 in Native mode functioning as inside LAN routers, a connnection for LAN failover and a connection for Stateful failover.  There will be 2 x 6506 (Sup720s in Native mode) switches functioning as Outside routers with T3 circuits from each router to different service providers.  The inside routers are running OSPF for routing between vlans and are trunking between them (VTP client/server setup).  A separate vlan has been created to function as the gateway (vlan to which the ASAs will connect).  A default static route is created to send non local traffic to the ASAs.  The ASAs will be running NAT (there will be some NAT 0 and static for a couple of WEB/Email servers etc in the DMZ).  The ASAs will not be running any dynamic routing protocols.  The outside routers will be peering with ISPs via eBGP and each other via iBGP.  The outside routers will have trunking enabled between them.  I have a couple of questions about the ASA configuration process.  The Cisco documentation says to enable active/active failover multiple security contexts are required.  Most of the documentation shows subinterfaces being configured on the ASAs however since the inside routers as well as outside routers will be doing their own routing is the subinterfaces necessary? Also based on the current NAT statements and ACLs configured on the PIX515e I would like to migrate them as-is so do I need to apply the same statements to each security context or just the system security context (assuming that the Cisco documentation is correct with the multiple security context requirement for active/active failover).  Below is an example of a configuration file I created (variables in uppercase would need to be replaced by actual information) however I'm not sure where to add the NAT statements and ACLs and where to apply the ACLs.  I presume each context would have the same ACLs and NAT statements however I'm not sure.  Any input would be much appreciated.  Just as a fyi I did not mention above the extra connections from the ASAs to each router.  The ASAs will have links to Outside routers 1 and 2 and Inside routers 1 and 2.  Will also need to add static routes.

config t
!
mode multiple
!
interface OUTSIDEINTERFACE
no nameif
description Link to Outer Router 1 interface OUTERROUTERINTERFACE
no ip address x.x.x.x y.y.y.y standby x.x.x.x
!
interface INSIDEINTERFACE
no nameif
description Link to Inner Router 1 interface INNERROUTERINTERFACE
no ip address x.x.x.x y.y.y.y standby x.x.x.x
!
interface OUTSIDE2INTERFACE
no nameif
description Link to Outer Router 2 interface OUTER2ROUTERINTERFACE
no shutdown
!
interface INSIDE2INTERFACE
no nameif
description Link to Inner Router 2 interface INNER2ROUTERINTERFACE
no shutdown
!
interface LANFAILOVERINTERFACE
no nameif
description LAN Failover Interface
no ip address x.x.x.x y.y.y.y standby x.x.x.x
!
interface STATEFAILOVERINTERFACE
no nameif
description STATE Failover Interface
no ip address x.x.x.x y.y.y.y
!
failover
failover lan unit primary
failover lan interface LANFailover LANFAILOVERINTERFACE
failover lan enable
failover key FAILOVERKEY
failover link stateful STATEFAILOVERINTERFACE
!
failover interface ip LANFailover LANFAILIPADDRESS LANFAILSUBMASK standby LANFAILIPSTAND
failover interface ip STATEFAILOVERINTERFACE STATEFAILIPADDRESS STATEFAILSUBMASK standby STATEFAILIPSTAND
!
failover link interface LANFAILOVERINTERFACE
!
failover group 1
primary
preempt 10
polltime interface msec 500 holdtime 5
failover replication http
!
failover group 2
secondary
preempt
polltime interface msec 500 holdtime 5
failover replication http
!
admin-context admin
context admin
config-url flash:/admin.cfg
!
context context1
allocate-interface INSIDEINTERFACE inside_company1
allocate-interface OUTSIDEINTERFACE outside_company1
config-url flash:/company1.cfg
join-failover-group 1
!
context context2
allocate-interface INSIDE2INTERFACE inside_company2
allocate-interface OUTSIDE2INTERFACE outside_company2
config-url flash:/company2.cfg
join-failover-group 2
!
changeto context context1
!
hostname CompanyContext1
interface INSIDEINTERFACE
nameif NAMEIFINSIDE
security-level 100
ip address INSIDEIPADDRESS INSIDEIPMASK standby INSIDEIPSTAND
monitor-interface OUTSIDEINTERFACE
!
interface OUTSIDEINTERFACE
nameif NAMEIFOUTSIDE
security-level 0
ip address OUTSIDEIPADDRESS OUTSIDEIPMASK standby OUTSIDEIPSTAND
monitor-interface INSIDEINTERFACE
asr-group 1
!
changeto context context2
!
hostname CompanyContext2
interface INSIDE2INTERFACE
nameif NAMEIF2INSIDE
security-level 100
ip address INSIDE2IPADDRESS INSIDE2IPMASK standby INSIDE2IPSTAND
monitor-interface OUTSIDE2INTERFACE
!
interface OUTSIDE2INTERFACE
nameif NAMEIF2OUTSIDE
security-level 0
ip address OUTSIDE2IPADDRESS OUTSIDE2IPMASK standby OUTSIDE2IPSTAND
monitor-interface INSIDE2INTERFACE
asr-group 1
!
change system
!
prompt hostname context
!
end
!
write mem
!