IPsec Hair-pinning done by a Router firewall for 2 branches
  (one branch is a transparent firewall and other branch is a router)

1) configure ASA1 in single context router mode and ASA2 in single context transparent firewall mode. Configure the Transparent firewall (ASA2) to use management IP as 2.2.2.10.

2) Configure a IPSec VPN tunnel between ASA1 and ASA2 to secure the management traffic towards ASA2. This tunnel should be applied only for traffic sourced from R1's interface towards the management address of ASA2. 

3) Configure another IPSec VPN tunnel between ASA1 and R3 to secure the traffic flow between R1's interface and the internal network of R3.

4) Configure "IPSec HairPinning" such that traffic sourced from R3's loopback towards the management interface of ASA2 uses the already established IPSec tunnels established in Objectives 2 and 3.
Courtesy  (Rajesh)

ASA1:
ASA Version  8.2(1)
!
hostname ASA1
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 1.1.1.10 255.255.255.0
!
same-security-traffic permit intra-interface
access-list crypto_acl extended permit ip host 10.1.1.1 host 2.2.2.10
access-list crypto_acl extended permit ip host 10.1.3.1 host 2.2.2.10
access-list crypto_acl2 extended permit ip host 10.1.1.1 host 10.1.3.1
access-list crypto_acl2 extended permit ip host 2.2.2.10 host 10.1.3.1
!
route outside 2.2.2.0 255.255.255.0 1.1.1.5 1
route outside 3.3.3.0 255.255.255.0 1.1.1.5 1
route outside 10.1.3.0 255.255.255.0 1.1.1.5 1
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
crypto ipsec transform-set TS1 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CM 10 match address crypto_acl
crypto map CM 10 set peer 2.2.2.10
crypto map CM 10 set transform-set TS
crypto map CM 20 match address crypto_acl2
crypto map CM 20 set peer 3.3.3.1
crypto map CM 20 set transform-set TS1
crypto map CM interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
!
tunnel-group 2.2.2.10 type ipsec-l2l
tunnel-group 2.2.2.10 ipsec-attributes
pre-shared-key *
tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 ipsec-attributes
pre-shared-key *
end

ASA2:  

ASA Version 8.2(1)
!
firewall transparent
hostname ASA2
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
access-list crypto_acl extended permit ip host 2.2.2.10 host 10.1.1.1
access-list crypto_acl extended permit ip host 2.2.2.10 host 10.1.3.1
!
ip address 2.2.2.10 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 2.2.2.5 1
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CM 10 match address crypto_acl
crypto map CM 10 set connection-type answer-only
crypto map CM 10 set peer 1.1.1.10
crypto map CM 10 set transform-set TS
crypto map CM interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 1.1.1.10 type ipsec-l2l
tunnel-group 1.1.1.10 ipsec-attributes
pre-shared-key *
!
R1:

version 15.1
hostname R1
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 10.1.1.10
!
end

R3:

version 15.1
!
hostname R3
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 1.1.1.10
!
!
crypto ipsec transform-set TS esp-des esp-md5-hmac
!
crypto map CM 10 ipsec-isakmp
set peer 1.1.1.10
set transform-set TS
match address crypto_acl
!
interface Loopback0
ip address 10.1.3.1 255.255.255.0
!
interface FastEthernet0/1
ip address 3.3.3.1 255.255.255.0
duplex auto
speed auto
crypto map CM
!
ip route 0.0.0.0 0.0.0.0 3.3.3.5
!
ip access-list extended crypto_acl
permit ip host 10.1.3.1 host 10.1.1.1
permit ip host 10.1.3.1 host 2.2.2.10
!
end

R4:

version 15.2
!
hostname R4
!
interface GigabitEthernet0/0
ip address 1.1.1.5 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 2.2.2.5 255.255.255.0
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 3.3.3.5 255.255.255.0
!
end