We help IT Professionals succeed at work.

W2k RRAS PPTP NAT 1723/47=fwded FilterPassTru=PPTP&IPSec

Suburb-Man asked
Last Modified: 2011-01-19
W2k, RRAS, PPTP, NAT, 1723/47=fwded, FilterPassTru=PPTP&IPSec
Static address pool -

On my notebook at the office on the LAN/intranet with a 10.10.10.x address I can VPN to the server 10.10.10.x.
I can Login get assigned a 10.20.0.x address.

While still at the office same as above, same connection profile as above except aiming at our WAN address; it sits at "Verifying user and password..." for 30 seconds the returns Error 721 = "the remote computer is not responding".  
(Not error: 678 = "no answer")

Also tried remotely from home to WAN address with of course no success, same Error 721.
I can successfully use pcAnywhere thru the WAN IP address firewall via forwarding ports 5631&5632.

Any VPN Idea's?
Watch Question

Les MooreSystems Architect
Top Expert 2008

> You should not be able to VPN to the WAN address from the LAN side through your firewall. That would be an egregious security issue.
PPTP passthru is for internal users going to an external server (not the external address of your own server).

If you are at home and can't connect, the firewall nearest the server is not passing GRE Protocol 47.

What kind of firewall do you have?


The only firewall is:
LINKSYS BEFSR11 firmware 1.44.2
  Filters set to allow IPSec and PPTP Pass through
  Forwarding of 1723 and 47, allowing both UDP and TCP, to RRAS Server.

Systems Architect
Top Expert 2008
This one is on us!
(Get your first solution completely free - no credit card required)


The W2kAdvServer is a DHCP, DNS, AD, RRAS, Exchange2k, Stand Alone Compaq Prolient ML530.
Router's DHCP not enabled, it is in Gateway mode.
The router does have UPnP Forwarding and Port Triggering functions, however I am not using them.
I have the router's logging enabled and it shows the WAN/Internet connect attempt to the server.

Is their a testing tool like telnet, SamSpade, or something to troubleshoot RRAS connectivity?

Since this is becomming a bigger issue I increased the points to 500


I got PPTP maximum security MS CHAP v2, and EAP for the VPN working without DMZ!
I suggest nobody ever ever allows a DMZ to any computer.
If you absolutely have to, get another firewall to block the other 65 thousand doors (ports) DMZ opens.
DMZ is the same as in front of the firewall; remove DMZed PC from your LAN would be a good idea.
Access it like the hackers will, thru the internet/WAN with pcAnywhere or similar.

I found a RRAS "Remote access policy" that was blocking connections.

Did I mention I inherited this Server, yep the previous admin had blocked access with a RAS policy.
You could use them to lock down a DMZed RRAS.

Now on to the nightmare of L2TP certificates and SSL Outlook web access.


Make sure IPSec Passthrough and/or PPtP Passthrough is enabled

Port Forwarding
      47      Server's LAN IP
      1723      Server's LAN IP

Port Triggering

      Application Name      Trigger Port Range         Incoming Port Range  

       1:   VPN              47-47                  1723-1723
       *2:   VPN            50-50                  500-500   (optional?)
isaacdokuSystems Administrator

I still cannot get my problem resolved despite testing the above sugestion.  the error 721 after system displays verifying username and password is really making me lose my hairs.  there must be a way out somewhere. we need to crack this in the most simplest way possible.


The problem I have always had with three different Routers/Gateways is:
They are not passing thru the GRE protocol 47!
Linksys 3 different firmware and two different routers, Symantec 320 until firmware fix.

Remove the router and test.


I even tried DMZ to the pptp host (server) and it still wouldn't work until they got the firmware right.
I still can't get L2TP to work.

PPTP isn't secure at login (handshake), use IPSec.

I suggest the Linksys BEFSX41 VPN End Point Firewall, but not the latest firmware only to next to latest (befsx41_1453_fw)
or any router with built in IPSec VPNs, I just know the linksys ones do not require special client software.
I have the same problem

I am using Cisco router as the gateway. When i am nating ip to ip its working fine
But when i nat port 1723 and 47 it is not working.

Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.