Restrict PPTP & Lan Access

Unanswered Question
May 3rd, 2009


I have an 851 router which is configured for IPSEC Vpn Tunnel PPTP & Internet access.

I have 15 or so machines that need to communicate with each other the other 10 or so are managed internally but will also be managed externally

The current config will work however I am concerned about security.

The external companies 3 of them need access to their own specific hosts only and those hosts should have no access to the other hosts or servers on the same subnet (apart from one internal machine).

Ideally I would like to retain remote access for support purposes but if I have to I can completely separate the two sets of machines on physical networks although this will cause some issues

I thought of creating multiple vpdn groups with a single ip address and apply access-lists what is the best way of accomplishing this?

Any suggestions gratefully received

vpdn enable


vpdn-group 123

! Default PPTP VPDN group


protocol pptp

virtual-template 101

local name VPN

l2tp tunnel receive-window 128


interface Virtual-Template101

ip unnumbered Vlan1

peer default ip address pool pptp-pool

ppp authentication ms-chap


interface Vlan1

description Connected to LAN

ip address

ip nat inside

ip virtual-reassembly


ip local pool pptp-pool

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
htarra Sun, 05/10/2009 - 08:51

I think you can configure multi hop vpdn.Multihop virtual private dialup networking (VPDN) is a specialized VPDN configuration that allows packets to pass through multiple tunnels. Ordinarily, packets are not allowed to pass through more than one tunnel. In a multihop deployment, the VPDN tunnel is terminated after each hop and a new tunnel is initiated to the next hop destination.

Communications Thu, 05/21/2009 - 10:03

Hi htarra

Thanks for responding in the end I decided to replace the router with an ASA, as we also were also required to seperate the networks


This Discussion