This is certainly possible although the details will vary depending on the equipment that you choose. One popular way of doing this is to have 3 ports on your firewall, one of which leads to a completely separate DMZ segment. This has the advantage of isolating the publicly accessible portion of your customer's network from the private part, thereby enhancing security.
Assuming you are planning on using IPSec as your VPN, you will want to ensure that you configure its policy to allow non-VPN packets to bypass IPSec. RFC 2401 has more about IPSec policies, but you will need to consult your firewall/VPN's user's manual for details on the default policy and configuration.
This was first published in July 2007