I would use the second design, and in order to make routing less complex, i would use a single DMZ link between VPN ASA and Perimeter ASA. As oppsed to the first design, with the second one, you can better control decrypted traffic with an inbound/global ACL on the Perimeter ASA.
Cristian Matei, CCIE #23684 (SC/R&S)
Online Community: http://www.ieoc.com
CCIE Blog: http://blog.ine.com