DMZ can be assumed as transit/neutral area to limit external users/traffic coming into any network. Access typically terminated to servers/services hosted in this area. This is to prevent internal network from being directly access by outsider as internal network is viewed as the most secure place in your network and must be protected accordingly.
Typically, you need to do address translation when allowing traffic from DMZ coming or talking to your internal resources. But in certain cases/scenario, you probably can skip this.
The existance of several DMZs in network is meant to host different group of services/servers/resources, i.e DMZ1 to host common/general public webservers/Portal, DMZ2 to host your VPN/remote access services, DMZ3 to host secure e-commerce servers/front-end servers, DMZ4 to host routers/link to extranet/partner network and so on.
This design allows you to contain traffic to indiviual DMZ, prevent/limit threats escalation and flexibility in network design.
There are many docs & guidelines when designing and creating DMZ.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...