Well, simple if you know about such things, perhaps not so simple otherwise.
It's super simple, and very safe, to provide basic web access with Linux and a proxy server (or a Windows system with OpenSSH running). We simply use a statically mapped IP to allow one of the host in the virtual lab to be reachable from the production network. We then SSH to the machine in the virtual lab from a machine on the production network and use the "-R" option to forward a port on the machine in the virtual lab over the SSH tunnel to our proxy server. Then, on other systems in the virtual lab we simply configure them to use the SSH tunnel on the virtual lab machine as their proxy server, which provides access via the reverse tunnel to the "real" proxy server. Works great! Especially if you already have Linux boxes in your environment (or Windows boxes running SSH).
But of course, this only provides web access, any only for those systems that can use a proxy. We've been thinking of taking this idea to the extreme by using the same basic concept but with OpenVPN. Our thought was to create a special Linux VM to use as a "virtual lab internet gateway". Make sure this system is accessible via "static mapping" and have a host on the production network create an OpenVPN tunnel to the "internet gateway" to route the two networks. Configure your hosts in the virtual lab to use this box as their default gateway instead of the proxy appliance and they have internet access.
Of course, you'd need to be careful setting up full networking, you don't want to mess up any routing and conflict with your production network, and you don't even want those hosts being able to talk to your production DNS servers or other hosts, so a "full network tunnel" setup is best left to networking professionals who understand that stuff, but the proxy setup is quite safe and, if your know about SSH, takes just a minute or two.