Thanks for your quick response. As for the IP address assignment, I'm trying to assign an IP address to router and firewall that's the same IP range. 

For example, if an ISP gives me the usable range of 72.22.222.222-224 with 255.255.255.248 subnet, can I assign 72.22.222.224 to the router and 72.22.222.225 to the firewall? 

ISR 4321 ==>  ASA 5520 ==> Switch

From your response, it seems like I would have to ask my ISP to give me another routed subnet for firewall use. 

Does the ISP provide you with a single Ethernet connection? If so, why not plug it directly into the ASA?

I'm trying to create a Routed-Based VPN with my Azure subscription and for that I need router for the configuration. I can connect the ISP hand off to the firewall directly but the firewall only supports Policy-Based VPN configuration. 

You could use the switch port NIM.  Plug the ISP and the Firewall into the same VLAN, and then they would all be in the same subnet.

I would personally get a second /29 for your configuration.

Hello,

You can also ask your ISP to give you a private range for connection between your router and ISP and then use the public range on your router or your ASA. This probably gives you more public IP addresses since you do not waste IPs for the ISP link.

Masoud

I don't think they can because they need to terminate an Azure VPN onto the router as well.  They need public IP address space.

What's the use for NIM-1GE-CU-SFP module? How is this different than the modules that you suggested above. I believe the native ports on the router are Layer 3 and NIM-ES2-4 might appear in the router as layer 2 ports. Just needed little more clarification of the module so I pick the correct one for my application. Thanks.

NIM-1GE-CU-SFP is a "full" routed layer 3 port.  The modules I suggested are layer 2 switch ports.

You can assign an IP address directly to NIM-1GE-CU-SFP, using it for L2TP, etc.

The modules I suggested allow you to assign the layer 2 ports to a VLAN and then put an IP address on it.  On the whole, they can't be used for advanced functions like L2TP.

Basically, I ended up using all ports on this NIM module. No native ports of the routers were used for this configuration. Since all NIM ports are switchports, I ended up creating a VLAN and making all switchports part of that VLAN. With this configuration, I was able to use the single /29 network from my ISP and configure both edge router and firewall on the same network. Thanks for all the feedback provided on this post. 

Hello, I have reviewed the entire router and can not find the compact flash. All that I found is a socket to place a flash like this: