PPTP & restricting to single Internal IP address

no sysopt connection permit-pptp

object-group network pptp_addresses network-object 192.168.200.100 255.255.255.252 network-object 192.168.200.104 255.255.255.252 network-object 192.168.200.108 255.255.255.254 network-object host 192.168.200.110

access-list nonat permit host INTERNALSERVERIP object-group pptp_addresses

nat (inside) 0 access-list nonat

access-list out2in permit object-group pptp_addresses host INTERNALSERVERIP access-group out2in in interface outside

Why do you break it up into 3 different subnets?

Your pptp address pool is 192.168.200.100-192.168.200.110 so in order to restrict pptp traffic without restricting anything else, you should match against exactly those addresses. You could list each of the addresses individually in the object-group

network-object host 192.168.200.100 network-object host 192.168.200.101 network-object host 192.168.200.102

and so on, but the most compact representation that covers exactly that range of addresses is the one I gave. There is no way in a PIX network object-group to list a range of addresses, only base addresses and network masks.

Note that when a netmask is used on the PIX in the context of an ACL, it is just a bitmask, with no implication of subnetting -- the first and last addresses are NOT reserved.

The only exception to this is in "policy static" -- in the context of a static command that names an access-list, the netmask of the ACL entries -do- imply network behaviour.

If you have static (inside,outside) OUTSIDEIP INSIDEIP netmask NETMASK then NETMASK *does* imply reservation of the first and last IP. This can be defeated by specifically static'ing those individual IPs with a netmask of 255.255.255.255

Also, the netmask on ip address commands does imply reservation of the first and last IP; there isn't any way to defeat that.

But in ACLs applied to anything other than "policy static", the mask is just used to select bits.