Hello Matt
There is no single best answer, but there are specific principles that will determine the best arrangement for a particular topology.
Remember that a firewall introduces another location where routing takes place. This affects your topology, as well as introduces a single point of failure into the network, if you ave only one device. So if you have an HSRP arrangement and you want to maintain that redundancy, introducing a high availability firewall implementation is necessary.
Next you have to determine if “firewall on a stick” is the way to go for you. In the options described in the diagrams, this is the topology that is represented. Typically, you will have three VLANs hanging off of the ASA (inside, DMZ, outside). If you use firewall on a stick, a single physical link will be used to carry traffic for all three VLANs. Alternatively, you can use three physical connections to your switches, but that uses up valuable physical ports on your switches. For this reason, you may want to place them physically inline, between the 3750s and the 1921s shown in the first diagram. That in turn, seems to defeat the purpose of the HSRP configuration, so you may consider replacing the 1921s with an Active/Active firewall arrangement will perform the same type of redundancy as the HSRP implementation. In this way, you remove additional points of failure.
If I was building something from scratch, I’d connect the firewalls directly to the service provider in an Active/Active arrangement to replace the HSRP routers. I’d connect both firewalls to both 3750 switches with two physical connections each (DMZ and inside network) and let the 3750s to the rest of the routing for the rest of the internal VLANs.
I would only use the firewall on a stick topology in an already established network for which I want to change the least amount of things.
I know I haven’t definitively answered the question, simply because there is no definitive answer. But I hope it gives you more insight in order to decide on how to proceed.
If your topology is similar to the first diagram, then you would have to configure firewall on a stick for each ASA, and then have all your outgoing traffic (from both DMZ and inside networks) use the firewall as the default gateway (or at least route the traffic there) , and have the firewall route traffic to the HSRP virtual address.
I hope this has been helpful!
Laz