Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PPTP VPN, need to limit user internal access

I have windows pptp vpn access setup on an 1841 router. i need to be able to restrict access to internal hosts for VPN users. i have tried 'username access-class', but it does not seem to be working, unless i am just formatting my access list wrong or something.


username vpntest access-class 150 password test

access-list 150 permit ip host

access-list 150 deny ip any any

VPDN pool is, main internal network is, with several others also (

in the example above, i want the VPN user to only be able to access that perticular host. however when i login, i can ping any host.

Community Member

Re: PPTP VPN, need to limit user internal access


I also am trying to setup windows pptp vpn access on a cisco 1841 router with IOS version 12.4 Could you please help me with the configs you used as i am getting an error 619 message whenever i try connecting. I have a context based access list firewall configured on the Internet Interface.This is inspecting cuseeme,ftp realaudio,tftp,udp,icmp and esmtp out. I have an extended access list configured on the lan interface permiting protocol gre and tcp port 1723 but still gives me the same error. I can however connect when i am connected on the local lan. This informs me it is an issue with the firewall configs.Any help please asap.


Community Member

Re: PPTP VPN, need to limit user internal access

you say you have an access list on the LAN interface permitting GRE and 1723, do you also have one on the WAN interface, or was that a typo?

here is what i have used to learn how to setup pptp:

i also change the setup of the windows VPN client. set to 'type of vpn: pptp' and under 'security', select custom, then check MS-CHAP and MS-CHAPv2.

post your configs and i may be able to help more.

Community Member

Re: PPTP VPN, need to limit user internal access

Thanks cmonks, i tried all the configs but still getting the same error 619 message when establishing from the internet. These are the configs

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname VPN Router



enable secret 5 $1$3GyN$7uNpSCfTKaEjFSktuzSba.

aaa new-model

aaa authentication login userauthen local

aaa authentication ppp default local-case

aaa authorization network default local

aaa authorization network groupauthor local

aaa session-id common

resource policy

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

ip inspect name myfw cuseeme

ip inspect name myfw ftp

ip inspect name myfw http

ip inspect name myfw rcmd

ip inspect name myfw realaudio

ip inspect name myfw tftp

ip inspect name myfw udp

ip inspect name myfw tcp

ip inspect name myfw icmp

ip inspect name myfw esmtp

ip ips notify SDEE

vpdn enable

no vpdn aaa untagged default

vpdn-group 1

! Default PPTP VPDN group


protocol pptp

virtual-template 1

username xxxx password 7 113B1C084444520D07292E373B

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group CISCOVPNclient

key cisco

pool clients

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set myset

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0

no ip address

duplex auto

speed auto

interface FastEthernet0

description WAN interface

encapsulation dot1Q 230

ip address

ip access-group incontrol in

ip nat outside

ip inspect myfw out

ip virtual-reassembly

no snmp trap link-status

crypto map clientmap

interface FastEthernet0/1

ip address

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ntp broadcast

interface Virtual-Template1

ip unnumbered FastEthernet0

peer default ip address pool MSVPN

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

ip local pool CISCOVPNclient

ip local pool MSVPN

ip classless

ip http server

no ip http secure-server

ip nat inside source route-map ISgtw interface FastEthernet0 overload

ip route

ip access-list extended mylan

permit tcp any eq www

permit tcp any eq 443

permit tcp any eq ftp

permit icmp any echo

permit tcp host any eq smtp

permit tcp host any eq pop3

permit tcp any eq 1723

permit tcp any eq smtp

permit tcp any eq pop3

permit gre any

ip access-list extended incontrol

permit tcp any host eq smtp

permit tcp any host eq 443

permit esp any host

permit udp any eq isakmp host

permit tcp any host eq 1723

permit gre any host

permit udp any host eq isakmp

permit udp any host eq non500-isakmp

permit udp any host eq 1000

permit tcp any host eq 51

permit tcp any host eq 1000

permit udp any host eq 62515

deny ip any any

route-map ISgtw permit 50

match ip address mylan


line con 0

line aux 0

line vty 0 4

password 7 104D000A0618

i also have cisco vpn client configured which works fine but i am only able to recieve mails and cannot send mails in outlook when connected.

Community Member

Re: PPTP VPN, need to limit user internal access


You should have ip inspect myfw pptp in order to allow pptp return traffic.

You must also permit gre and pptp on your inside Acl

hopes it helps

CreatePlease to create content