Let me clarify a couple of things. I had suggested to install another router to connect to the DMZ interface only as a solution to placing two or more VLANs behind the DMZ (just like you have multiple VLANs behind the Inside interface). Since this is not the case, and the web and VPN servers are in the same VLAN (28) then we don’t need that. Based on your description, this is the topology I have come up with:
Now on the Router on a stick, you would have a default route to 10.15.1.2 since everything (Internet, DMZ, the rest of the world) is accessible only via the inside interface of the ASA. Here you can specify something more specific, like the IP addresses of the servers, but it will actually make no difference in the functionality of the network.
Secondly, you would have the web and VPN servers hanging off of the DMZ interface. Now in order for the ASA to route traffic appropriately, you will have to do the following:
route 10.10.1.0/27 via 10.15.1.1
route 10.20.1.0/27 via 10.15.1.1
route 10.12.1.0/27 via 10.15.1.1
route 0.0.0.0 via Internet next hop IP
The rest of the networks including 10.15.10.0/24 and 10.10.100.0/24 are directly connected, so no additional routing is necessary. You must verify that the servers are using 10.10.100.10 (the DMZ interface) as their default gateway.
Finally, in order to get the servers accessible from the public to the DMZ, you can either employ Static NAT or NAT port forwarding. These two lessons describe these features in detail:
You can use a second ASA in the event that you want to introduce redundancy in an active/standby failover situation. You can find out more about this here:
I hope this has been helpful!