So now lets take a look see what your trying to do.
not trying its done and works.
Where is the vpn client? From the internet?
Yes or LAN
If everybody is having a hard time working out how it works setting it up with a M4100 series switch is the only way you know why it works.
Also from that picture there is no firewall in this either.
Their is a firewall on both WANs.
Port Mirroring is something I've only really used as diagnostic aid - with wireshark normally.
This is not Port Mirroring this is Mirror Interface an option in ACL in the M4100 series switch as said I would like to of used Redirect Interface but it doesn’t work.
Also, wth is up with ports 8 and 9 on your diagram? Let me see if I can decipher what you have there -
Port 6 - Trunk (vlan 7 tagged), native vlan 9 untagged
Port 7 - Trunk (vlan 8 tagged), native vlan 9 untagged
Port 8 - Trunk (vlan 9 tagged), native vlan 7 (and 8??? ) untagged
Port 9 - native vlan 200 untagged
And you have ports 8 and 9 physically connected... That would mean vlan 7, 8 and 200 are all untagged on that port... which means those vlans aren't segregated at all wth?
I have a Cisco SG300-10 and I can't get its VLAN to do what Netgear switches can do so I guess thats why your having a hard time working out how to do it in a Cisco switch. You don't have to have VLAN 200 you can connect port 8 to the gateway its just their so you can deny 192.168.137.4 on port 9 after you permit the mirror to port 2 on port 6. Its also a cool trick to get more ACL rules in.
Port 8 - Trunk (vlan 9 tagged), native vlan 7 and 6 untagged
From the other thread, I am still wondering why you are assigning vpn clients addresses in your inside address range? Do it properly, give them their own subnet and ROUTE them internally.
It can't be done properly because if you have a VPN server giving out LAN IPs and the client wants internet assess the VPN server in windows 7 sends that traffic out to the WAN where nothing will happen. Where as XP you can have ICS and a VPN server on one PC and it NATs the clients wanting internet assess windows 7 does not do this so there is no proper way for doing it unless you have many WAN IP's that you use for the VPN server to hand out even then the IP's have to be in the same subnet.
EH? It looks like you are trying to bodge something because you don't have the correct equipment. You appear to be attempting to make a L2 switch behave like a router?
Their are ways and then there are ways and either way it works if you understand and know what you are doing that you might not know something I know.