I have a Cisco PIX 506E and have an outside vendor that wants to VPN into our network to a specific host. I have setup a pptp vpn configuration that works, but I now want to restrict who can establish a vpn connection to the pix. The configuration I have today is: access-list vpn permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0 nat (inside) 0 access-list vpn sysopt connection permit-pptp vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 client configuration address local pptp-pool vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username ***** password ***** vpdn enable outside This works, but anyone can start a tunnel to my pix. How do I restrict who can establish a vpn to this device? Is it through normal acls or object-groups? If so, how do I associate them to the vpdn group? Thanks in advance for any help!