I once read somewhere in the old Cisco SAFE that it is better to design a DMZ with a PIX/ASA on the outside and then on the inside of the DMZ address space, vs. simply using an interface on one PIX/ ASA as the DMZ, but for the life of me cannot remember what the justification for this was.
I designed a DMZ for a customer in the two ASA design. I have an outside Perimeter ASA that faces the internet. On the inside interface is the DMZ. The 2nd ASA guards the DMZ space from the inside networks. His outside interface is the DMZ address space while his inside interface is the inside network(s).
Can someone explain why this is a better design?