Think of a router/firewall with three interfaces: internet, internal, and DMZ. On the internet side you have your uplink. On the internal side, you have your non-internet facing or private hosts. On the DMZ interface you connect any hosts that are accessible directly from the internet.
http://www.shorewall.net/three-interface.htm
If you're going to use two firewall layers, then best security practice dictates that you use two different vendors, with the theory being that vulnerability in one will not be in the other (in my experience this is true in practice). If you haven't already purchased the two ASAs and your budget allows, I'd recommend using a different solution for one of the layers.
Technically speaking, what you have is not a DMZ. A true DMZ would be hanging off your external firewall layer and not on the vlan between the two firewall layers. That's possibly semantics and may not be something you can do much about. For connections back from your DMZ to your LAN, you only have to go through one firewall. Most folk segregate such zones with two firewalls with a middle layer in between the two firewalls. Your design merges the DMZ and middle layer and to be honest, the DMZ servers in this configuration are a nice jump point (if hacked) to your lan where I presume more important data etc is held.
Just wondering, does your budget allow L2/L3 switches so your servers aren't directly connected to the firewalls?
For internal access from the LAN to the DMZ servers, I don't believe that you'll need NAT rules because you can just have a route from your LAB to the 192.169 network to go via the internal firewall (assuming it's configured to allow and route those packets).
Why are you using 192.169.. as an internal IP range? Read RFC1918, that's not a private IP range.
How do clients access the Internet?
Best Answer
Thoughts: