I'm trying to accomplish this task. VPN for outside client, web access for inside client, email etc. Below are my devices and how they are connected.
ISP connect to - 1 x 2800 series Router connect to - 1 x 5520 Firewall outside interface. The Dmz interface connect to a dell power connect switch to the server. The inside interface connect to a power connect switch to my 8x cisco 881 series routers.
this is my running config so far.
interface gigabitethernet 0/0
ip address 22.214.171.124 255.255.255.224
interface gigabitethernet 0/1
ip address 100.100.2.1 255.255.255.0
interface gigabitethernet 0/2
no ip address
interface gigabitethernet 0/3
ip address 192.168.1.1 255.255.255.0
enable password Password1
same-security-traffic permit inter-interface
route outside 0 0 126.96.36.199 1
nat (inside2) 1 100.100.2.0 255.255.255.0
! The inside1 and inside2 networks use PAT when accessing the outside
global (outside) 1 188.8.131.52 netmask 255.255.255.255
! Because we perform dynamic NAT on these addresses for outside access, we need to perform
! NAT on them for all other interface access. This identity static statement just
! translates the local address to the same address.
static (inside1,inside2) 100.100.1.0 100.100.1.0 netmask 255.255.255.0
static (inside2,inside1) 100.100.2.0 100.100.2.0 netmask 255.255.255.0
! The syslog server uses a static translation so the outside management host can access
! the server
static (dmz,outside) 184.108.40.206 192.168.1.0 netmask 255.255.255.255
access-list MANAGE remark Allows the management host to access the syslog server
access-list MANAGE extended permit tcp host 220.127.116.11 host 18.104.22.168 eq telnet
access-group MANAGE in interface outside
! Advertises the security appliance IP address as the default gateway for the downstream
! router. The security appliance does not advertise a default route to the router.
rip inside2 default version 2 authentication md5 scorpius 1
! Listens for RIP updates from the downstream router. The security appliance does not
! listen for RIP updates from the router because a default route to the router is all that
! is required.
rip inside2 passive version 2 authentication md5 scorpius 1
! The client uses a pre-shared key to connect to the security appliance over IPSec. The
! key is the password in the username command following.
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 group 2
isakmp policy 1 hash sha
isakmp enable outside
crypto ipsec transform-set vpn_client esp-3des esp-sha-hmac
username admin password passw0rd
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto dynamic-map vpn_client 1 set transform-set vpn
crypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_client
crypto map telnet_tunnel interface outside
ip local pool client_pool 10.1.1.2
access-list VPN_SPLIT extended permit ip host 22.214.171.124 host 100.100.2.1
telnet 100.100.2.1 255.255.255.255 outside
telnet timeout 30
logging trap 5
! System messages are sent to the syslog server on the DMZ network
logging host dmz 192.168.1.1