Your pptp address pool is 192.168.200.100-192.168.200.110 so in order to restrict pptp traffic without restricting anything else, you should match against exactly those addresses. You could list each of the addresses individually in the object-group
and so on, but the most compact representation that covers exactly that range of addresses is the one I gave. There is no way in a PIX network object-group to list a range of addresses, only base addresses and network masks.
Note that when a netmask is used on the PIX in the context of an ACL, it is just a bitmask, with no implication of subnetting -- the first and last addresses are NOT reserved.
The only exception to this is in "policy static" -- in the context of a static command that names an access-list, the netmask of the ACL entries -do- imply network behaviour.
If you have static (inside,outside) OUTSIDEIP INSIDEIP netmask NETMASK then NETMASK *does* imply reservation of the first and last IP. This can be defeated by specifically static'ing those individual IPs with a netmask of 255.255.255.255
Also, the netmask on ip address commands does imply reservation of the first and last IP; there isn't any way to defeat that.
But in ACLs applied to anything other than "policy static", the mask is just used to select bits.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.