Unable to ping public IP router address for VPN

Hi there,

We are attemmpting to establish a VPN connection from the Internet to our server in our office.  We have configured our Windows 2003 server using Routing and Remote access and have configured our router to port forward port 1723 from our ISP provided static public IP address to our server's internal IP address ( as per the instructions detailed at www.portforward.com/english/routers/port_forwarding/Netgear/FVS318/Point-to-Point_Tunneling_Protocol.htm.  

From a local PC on our network, we went to the website www.canyouseeme.org which reported that our public IP was as expected and we could be "seen".  We also checked that this could be seen through port 1723, and this was also successful.  We are able to ping this public IP address from the internal network.

We are having issues however when attempting to connect to the public IP address via the VPN client from a PC on the internet.  When we try to ping this address from a command prompt, it times out.  As a result, the VPN network connection we have created on the PC also times out when attempting to connect to this public IP address.

This has occured from two different PCs using two different ISPs.

Is there any reason why we would not be able to ping our public IP address from the Internet?  The router appears to be setup properly and readt to go with the WAN port configured correctly, etc.  It appears that the public IP address is being blocked or something?

Any help would be much appreciated.


Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
>>"This would certainly explain why I cannot ping it "

>>"and why the Windows XP VPN client cannot connect to the address in question."
Blocking ICMP requests only removes the ability to ping the router, connecting with the VPN uses other protocols and should not be affected. Having said that, perhaps you should ask them if they also block PPTP traffic which is required for the VPN, a few do.

Let me know how it goes.
Rob WilliamsCommented:
As a rule ICMP (ping) requests are denied from the Internet by your router. This is a default rule to protect you from Denial of Service attacks. If you wish to test however, go to the "rules" page of the FVS318 router, and check the box "Respond to Ping on Internet WAN Port".

If still no luck could you post the make and model of your modem and we can advise if there is any configuration required on it.

When you set up the port forwarding did you create a new service for port 1723 or use the default/built-in PPTP service. GRE packets have to be allowed to pass for the VPN to work. This is protocol 47 (not port 47). As I understand it when you port forward the default PPTP service, this is done at the same time on that router. That may not be the case if you create a service manually.

peterkennedyAuthor Commented:
Hi again Rob,

Thanks for your assistance again.  You provided me with some useful information in regards how to set this up initially which I have followed to the letter.  

This was question ID 21861408.

- The router is a FVS318.  
- When I setup port forwarding I created a new service for port 1723 as per the instructions in  www.portforward.com/english/routers/port_forwarding/Netgear/FVS318/Point-to-Point_Tunneling_Protocol.htm.  
- I ticked the option to "Respond to Ping on Internet WAN Port", but this has made no difference.  I did not tick the option or the DMZ just above this option.

I am beginning the think that there is something else configured on the router or the firewall within it that is blocking this, such a respond to IP, passthru, etc.  However, as I did not originally setup the router I don't know what was configured and what wasn't.  They may have totally locked it down but if ticking the "Respond to ping on Internet WAN port" overrides this then I am bit confused as to what else might be blocking it.

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Rob WilliamsCommented:
Hi Pete, glad to try to help. There is the possibility that the modem is a combined router and modem and may be blocking some traffic, or not forwarding it to the router. If so it may have to be put in Bridged mode. Do you know if this is the case, i.e. if your modem performs NAT (network address translation) ? If in doubt post the make and model of the modem and we can check it out and advise appropriately.
peterkennedyAuthor Commented:
Hi Rob,

I have just spoken with the ISP in question who have told me that they block all ICMP traffic by default.  

This would certainly explain why I cannot ping it and why the Windows XP VPN client cannot connect to the address in question.

I have asked the ISP to remove this block for us so that I can at least see the IP address and test the VPN connection and we can go from there.

I will keep you posted

peterkennedyAuthor Commented:
Hi Rob,

I have managed to get this working just the way we want it.  That is, I can now VPN in using a simple Windows XP VPN network connection using the WAN address and a valid domain username and password, as well as being able to map a network drive and connect to OWA.  

The interesting part is that I still cannot "ping" the IP address, but the VPN is happy seeing it, so I am happy with that also!

One last question for you... I am using Routing and Remote Access on the Windows 2003 server for remote access.  When I VPN in, it asks for my domain username and password, and I have tested credentials that are not valid, and it does not let me in (which is correct) and will let me in with valid credentials (which is also correct).  My question us, how secure is this?  I am seeing that there is just a knowledge of the WAN address and a valid domain username and password required to gain access to this server, but is this "good enough"?  Or is this a very easy "wall" to break through?

Should I be looking into something like ISA server to secure this even more at the server end?
Rob WilliamsCommented:
Sounds like you have made great progress.

>>"The interesting part is that I still cannot "ping" the IP address, but the VPN is happy seeing it"
The ISP is likely just blocking ICMP traffic and nothing else. That is probably to avoid Denial of Service attacks.

When is there enough security...... :-)
That is a good question. A PPTP VPN is not much more secure than a remote desktop connection as far as guessing the appropriate connection information. A VPN, of this type, primarily adds encryption protecting the traffic from being intercepted and read. The hacker does have to know 5 things though; the IP, that a VPN connection is an option, the VPN protocol, user name, and password. Best protection against an attack is a strict password policy, especially the number of wrong attempts. Most often a hacker will stumble on your IP, doing a port scan and notice port 1723 is open. Then they will attempt to connect by guessing, probably using the administrators account, and a password hacking tool. If you have set your policy to disable the account after 3 or 4 wrong attempts the user will be locked out. Not fool proof, but pretty good.

There are options to further increase security such as changing the default 1723 port, changing to an L2TP VPN connection with IPSec, using certificates, adding a radius server, installing ISA server, or anding external VPN router.  With ISA, a Radius server, or a quality VPN router such as a Cisco, you can add further requirements for user's such as requiring a user to connect from a specific IP, having a specific client installed, or having configured certificates.

Although I am a big fan of ISA for overall security, if your main purpose for looking at is for VPN access, I would recommend a good VPN router such as a Cisco PIX unit. In my opinion, and there are those who will argue, I believe ISA should be on a separate machine. If so you are looking at a server, server software, CAL's, and ISA, not a cheap investment. ISA does have a nice quarantine feature allowing other security protection such as verifying the user has all Windows updates installed, all virus software is up to date, and any other parameter you wish to script to test for. On the other hand, depending on the number of users, a Cisco VPN router starts at <$400 US. Adding the router is a perimeter line of defense, requires no open or forwarded ports, allows much tighter control, and uses IPSec which is more secure than PPTP.
peterkennedyAuthor Commented:

Thanks again for your help Rob.

I think for the moment, as you suggested, I will take the additional steps to:

- Ensure strong passwords are being used
- Change the port from 1723 to something else (I am assuming that just about any port number can be used depending on how you configure the router)
- Enforce a password lockout policy
Rob WilliamsCommented:
You are very welcome.

As for changing the port, to be honest I have never done it. I use VPN routers mostly, however you can change the mapping on most routers to forward external port 5678 (for example) to local port 1723. If you do no have the external/internal option on the router you would have to find a way to change the registry to affect the default PPTP port within Windows. The client connects to port 1723 by default, so you would also have to specify the new external port in the client. Usually this is done by adding the port number to the address, for example
The port can be anything that is not used for a standard windows service.
Personally, I think if using PPTP, strong passwords and a lockout policy are most important. Beyond that, I would focus more on perimeter defense and stronger encryption such as IPSec.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.