Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: Cisco vpdn access list

Cisco vpdn access list 13 years 3 months ago #12167

Hello !

I have setup a simple vpdn server on a Cisco 800 series router.
It is used for remote users which are using W2k vpn client.
Protocole is pptp.

Users authenticate to the server using usernames defined locally on the router.
Then they get local ip address from pool defined also on the router.
This is working fine and I want it to stay like this.

What I would like to do now is only to make connection possible from several ip addresses.
I know it's possible by creating a simple access list but I don't know to which part of the configuration then assign it.

is also logging of vpdn connetcions possible ?

The configuration of vpdn look like this:

username user password 7 xxxxxxxxxxxxxxx

aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local

vpdn enable

vpdn-group 1
! Default PPTP VPDN group
description VPDN Group for remote Windows VPN clients
protocol pptp
virtual-template 1

interface Virtual-Template1
ip unnumbered Ethernet1
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap

interface Virtual-Template1
ip unnumbered Ethernet1
ip mroute-cache
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2

ip local pool vpn-local

ip access-list standard vpn-users permit

Thank You.

Re: Cisco vpdn access list 13 years 3 months ago #12206

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 1447
  • Karma: 8
  • Thank you received: 13

Its a good idea to try and restrict access from certain IP addresses. In order to achieve this, you simply require to add the following to the access list binded to your 'outside' interface (e.g dialer interface):

1) Define the access list
access-list 103 permit tcp any host <your router's ip> eq 1723
access-list 103 permit gre any host <your router's ip>

You can change the '103' to whatever number extended access list your using.

2) Bind the access list to your 'outside' interface.

Assuming our outside interface is dialer 0:
sh run:
interface Dialer0
description Internet Interface
ip access-group 103 in

That should do the job. If you have any problems, let us know!

Chris Partsenidis.
Founder & Editor-in-Chief

Re: Cisco vpdn access list 13 years 3 months ago #12233


but doesn't that block other access to internet interface ?
This interface is our default gateway to internet.
  • Page:
  • 1
Time to create page: 0.103 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup