No Internet at ANY point.

No Inside or Outside nameif interfaces.

:

nameif DMZ-1 with a security-level 50

nameif DMZ-2 with a security-level 60

Cisco 2821 router <---------------[DMZ-1]----ASA5520----[DMZ-2]---network

This is operational and working well.

:

Now we need to enable a new L2L IPsec VPN to arrive on DMZ-1 (security-level 50) to reach devices in DMZ-3 (security-level 20).

Also, the remote Cisco 2821 router will ALWAYS initiate the VPN connection, as this remote Cisco router is mobile.

Hope this is clear.

Tks

Frank

I have never tested something like this , but I think you will not  need any special configuration for that. VPN  terminating on the DMZ 1  means the traffic will get unencrypted on that interface and then will  head to your DMZ 3 , where it will be scanned against the access list  just like normal traffic.

VPN in your case is just to encrypt  packets between site A to site B , after it reaches Site B , it is upto  that firewall B to route it to its destination according to route table  and access lists since the vpn is not terminating on that interface.

Manish

FYI,
:
Long story short -It does not matter and has no affect.
:
:
I cleared the config from the ASA 5520,
Reloaded, added in required static routes,

ASDM parameters for management,

Configured interfaces as:

:

nameif DMZ-1 with a security-level 50

nameif DMZ-2 with a security-level 60

nameif DMZ-3 with a security-level 30

:

I loaded ASDM, configured L2L VPN via the IPsec VPN Wizzard - same parameters as before, saved config.

:

From the remote site I made a successful conection to the lower security-level devices - no problem.

Security-level seems not to play a role in this setup as Most Cisco documentation implies (or perhaps something is wrong :})

:

Cisco 2821 router <---------------[DMZ-1]----ASA5520----[DMZ-3]---network

Cisco 2821 router <---------------[DMZ-1]----ASA5520----[DMZ-2]---network

This is operational and working well.

Regards

Frank

By default, the ASA allows decrypted traffic into the ASA. If you wanted to control traffic passing from higher to lower interface, you would need to disable "sysopt connection permit-vpn" and setup an access-list/access-group to deny the traffic. We generally dont recommend disabling this though because it will affect all VPN tunnels (so youll need to configure the necessary permits/denies for all of your VPNs rather than just this one)

Heres more information about that command from the command reference:

"By default, the security appliance allows VPN traffic to terminate on a  security appliance interface; you do not need to allow IKE or ESP (or  other types of VPN packets) in an interface access list. By default, you  also do not need an interface access list for local IP addresses of  decrypted VPN packets. Because the VPN tunnel was terminated  successfully using VPN security mechanisms, this feature simplifies  configuration and maximizes the security appliance performance without  any security risks. (Group policy and per-user authorization access  lists still apply to the traffic.)

You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the the access-list and access-group commands  to create an access list and apply it to an interface. The access list  applies to the local IP address, and not to the original client IP  address used before the VPN packet was decrypted."

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217

It sounds like youve got this figured out (if so please mark the post as  resolved and remember to rate any posts that helped you).