Ok, that makes some sense.

So in the instance where I have a VLAN (say VLAN 200) that is on both the inside and operations interface, the config might look something like this?

interface gigabitethernet 1/2.200

nameif Enterprise

security-level 50

vlan 200

interface gigabitethernet 1/3.200

nameif Enterprise

security-level 50

vlan 200

Is that correct? Do I need to configure the interface as a trunk (for the remaining VLANs), or since it's a subinterface it's not truly a trunk interface? 

I don't use Cisco firewalls, but reading the documentation, it say that you cannot assign the same vlan to 2 different sub-interfaces.  As for trunking the documentation does not explain it.  So I think when you assign a vlan to a sub-interface it makes a trunk port but not sure.

HTH

Interesting. So do you think it's not possible to have the same VLAN on 2 different interfaces now? That seems very limiting.

I believe its to do with them moving from switch ports in the 5505 to routed ports in the 5506.

You can use the same VLAN ID on multiple ports but the VLAN doesnt "span" across all of the interfaces.  

I thought so too. But when I run the command to assign the VLAN to the second interface, I get:

"ERROR: VLAN 50 exists in the global vlans table"

Have a look at this discussion.  Other people have the same issue/frustration with Cisco firewalls.

https://supportforums.cisco.com/discussion/12456891/asa-5506-x-switchports

HTH

I did read those threads. But I'm still confused. Maybe it's been too long since my schooling.

I thought you had to route between VLANs. People are talking about needing an L2 switch, but wouldn't you need a router? I have plenty of L2 switches on the network.

Let me tell you what I'm trying to accomplish; maybe I'm doing it in a round-about way.

I have a VLAN that hosts some operations servers. As an example, one of those servers hosts a web service. In general traffic should be segregated between the Enterprise and Operations network. But I want to allow tcp/443 so users can access the web server.

With the 5505 I had both ports with VLAN 50 on them. The security level of the Operations network was higher than the Enterprise network. And I had an ACL rule that allowed tcp/443.

Sorry i dont understand. 

So you had 2 VLAN 50's that are different. Could you not create another vlan 51 and put servers into that or use no Vlans and just use access ports set to the correct VLAN on the switch and plug them info the ASA. 

Maybe this will help.

I have a network that spans 2 interfaces.

1 interface brings back the communications from the remote sites on VLAN 50.

The second interface is everything in the office (many VLANS), which includes servers on VLAN 50.

Ok. So in the old firewall you simply put both ports in the same vlan but apparently this is not possible with the new firewall.  So, what you can do is to put the first interface that bring back the communications from the remote sites in a different vlan (51) and than the firewall will route between vlan 50 and 51.

Does this help?

HTH

Thanks for helping me work this out.

That would work except they're currently in the same VLAN same subnet. So by changing subnets I would have to either change IPs of all the field devices, or all of the servers (including Domain Controllers). Both options are not preferable.

I'm thinking now that instead of bringing the connection from the fields devices (a private link) into the ASA, I can bring it directly into one of the L2 switches.

Trying to think through this solution now. Any pitfalls?

As long as its L2 it would not work because it ultimately has to connect to the firewall (vlan 50) for routing. What you can do is to terminate the filed devices (private link) in a switch and put the gateways for those on the switch and than have a layer-3 routed port from the switch to the firewall. This was the gateway for the second interface where you have all the other vlans for the office stays on the firewall and the gateway for the private link is the new switch and than you route between the switch and the firewall.

HTH