We have a vendor (web site hosting) who is requiring us to set up a VPN in order to access our web server. They will not support client based VPNs so we have to set up a tunnel to our PIX 515e. Because the clients that need access to the web server are on the inside network we must terminate the tunnel on our inside interface. Obviously having an unrestricted tunnel from a web server to your internal network is not secure. I also support client VPNs on the 515 into our internal network.
I under stand that I can chose to not use "sysopt connection permit-ipsec" but this will break my client VPNs. I understand that I can set up access list on my internal interface to restrict outbound traffic to the vendor however it will be outbound traffic only (not a secure solution) traffic could still get in.
Anyone have any ideas on how to provide our internal clients access across this vpn tunnel to our vendor securely while still allowing out side VPN clients access my internal network?