I've bm37 server + client to site vpn with two interfaces public and

I need to restrict vpn client to access some internal hosts (my vpn
client need to access only one of internal netware servers). I make
deny filter from vptunnel to any and any to vptunnel, and make
exception from vptunnel to one internal netware server (non stateful
ncp filter from vptunnel to internal host).But vpn client can normal
login and access netware server without back (from internal to
vptunnel) filter.
Why this happen and what I miss configure?