Всем доброго времени суток.

Есть cisco 2921 с двумя физ. интерфейсами
Внутренний gi0/0 - lan_ip, и внешний - wan_ip

Внутренняя сетка lan_network должна через VPN общаться с серверами сети vpn_network /24
Dialer поднят, циска всех видит, пользователи сети нет
Через vpn должны обращаться только к серверам

Прошу посмотреть подсказать

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 secret
enable password password
!
no aaa new-model
!
clock timezone MSK 4 0
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
!
!
ip multicast-routing
!
ip dhcp pool user
   import all
   network %lan_network%
   default-router %cisco_ip%
   dns-server %dns_ip%
!
!
no ip domain lookup
ip domain name %name.domain%
ip name-server %vpn_DNS_ip%
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
request-dialin
  protocol pptp
  rotary-group 0
initiate-to ip %vpn_wan_ip%
!
!
crypto pki token default removal timeout 0
!
!
username xx privilege 15 password 0 password
!
redundancy
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address %cisco_ip%
ip access-group internal in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address %wan_ip%
ip access-group external in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Dialer0
mtu 1450
ip address negotiated
ip pim dense-mode
ip nat outside
ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
ppp pfc local request
ppp pfc remote apply
ppp chap hostname xx
ppp chap password 0 xx
no cdp enable
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list vpn interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 %gateway_provider%
ip route %vpn_network% 255.255.255.0 Dialer0
!
ip access-list extended external
deny   ip %lan_network% 0.0.0.255 %vpn_network% 0.0.0.255
permit icmp any host %wan_ip%
permit ip any any
ip access-list extended internal
permit ip any any
ip access-list extended vpn
permit ip %lan_network% 0.0.0.255 %vpn_network% 0.0.0.255
permit icmp %lan_network% 0.0.0.255 %vpn_network% 0.0.0.255
!
logging esm config
access-list 1 permit %lan_network% 0.0.0.255
access-list 1 deny   %vpn_network% 0.0.0.255
access-list 101 permit ip %lan_network% 0.0.0.255 any
access-list 101 permit icmp %lan_network% 0.0.0.255 any
access-list 199 permit ip any host %wan_ip%
access-list 199 permit icmp any host %wan_ip%
dialer-list 1 protocol ip permit
dialer-list 1 protocol netbios permit
!
!
!
!
!
!
control-plane
!
!
line con 0
password xx
login
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 0 0
password xx
login
transport input all
!
scheduler allocate 20000 1000
end