Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Restrict PPTP & Lan Access


I have an 851 router which is configured for IPSEC Vpn Tunnel PPTP & Internet access.

I have 15 or so machines that need to communicate with each other the other 10 or so are managed internally but will also be managed externally

The current config will work however I am concerned about security.

The external companies 3 of them need access to their own specific hosts only and those hosts should have no access to the other hosts or servers on the same subnet (apart from one internal machine).

Ideally I would like to retain remote access for support purposes but if I have to I can completely separate the two sets of machines on physical networks although this will cause some issues

I thought of creating multiple vpdn groups with a single ip address and apply access-lists what is the best way of accomplishing this?

Any suggestions gratefully received

vpdn enable


vpdn-group 123

! Default PPTP VPDN group


protocol pptp

virtual-template 101

local name VPN

l2tp tunnel receive-window 128


interface Virtual-Template101

ip unnumbered Vlan1

peer default ip address pool pptp-pool

ppp authentication ms-chap


interface Vlan1

description Connected to LAN

ip address

ip nat inside

ip virtual-reassembly


ip local pool pptp-pool


Re: Restrict PPTP & Lan Access

I think you can configure multi hop vpdn.Multihop virtual private dialup networking (VPDN) is a specialized VPDN configuration that allows packets to pass through multiple tunnels. Ordinarily, packets are not allowed to pass through more than one tunnel. In a multihop deployment, the VPDN tunnel is terminated after each hop and a new tunnel is initiated to the next hop destination.

New Member

Re: Restrict PPTP & Lan Access

Hi htarra

Thanks for responding in the end I decided to replace the router with an ASA, as we also were also required to seperate the networks

CreatePlease to create content