I have a customer who is moving their servers to a new data centre from the head office (HO) but the ISP connection has to remain. What I need to achieve is a way to extend, securely, 6 DMZ?s from the HO to the new data centre.
My original idea was to use a pair of ASA 5520?s creating multiple L2L IPSec VPN connections - one for each DMZ to data centre.
6 DMZ VLANs  --> [ASA5520]-->Layer 2 network --> [ASA5520] -->  --> 6 DMZ VLANs
However, after trying to configure this I?ve come across a stumbling block. You can?t create multiple bidirectional L2L IPSec connection between two interfaces. I know conventionally implementation like this are of hub spoke design.
Another thought was to use dot1q tunnelling but I?m concerned about the security of this.
Any thoughts would be really welcomed!