Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN with cisco 2611 v 12.0 iso

hello all.

I am trying to setup a win2k server as vpn server behind a cisco 2611 router to connect a satellite office to our main office.

I have found some info on how to set up access lists and such but I have hit a wall.

Currently what I have so far:

interface Ethernet0/0

description connected to EthernetLAN

ip address

no ip directed-broadcast

ip nat inside


interface Ethernet0/1

description connected to Internet

ip address

ip access-group inet_inbound in (--- I added correct ???)

no ip directed-broadcast

ip nat outside

ip access-list extended inet_inbound

deny ip any

deny ip any

deny ip any

permit tcp any host eq 1723

permit gre any host


Both examples I have show:

interface Serial0/0

description internet interface

ip address

ip access-group inet_inbound in

BUT when I try to type "interface Serial0/0" at the router config prompt, it gives me an error pointing to the 'S' in serial, so should I add the ip access-group line to my Internet 0/1 like I did above since that is my internet connection????

thanks in advance.


Cisco Employee

Re: VPN with cisco 2611 v 12.0 iso

You don't have a Serial interface in your router, so you're adding the access-list to the correct interface.

The trouble is you're trying to connect to the address which is the router's address, not the address of the internal Win2K server. For a PPTP connection you will need a second IP address from your ISP, so let's assume they give you

The following will send all traffic destined for through to your internal Win2K server (which I've assumed is, change if necessary):

ip nat inside source static extendable

Change the two lines in your access-list to reference the .87 address rather than the .86.

Then have all your VPN clients connect to the .87 address rather than .86 and you should be good to go.