Cisco 857 Router Port 1723 remains closed

Posted on 2007-10-03
Last Modified: 2012-08-13
Hi. I have recently installed a Cisco 857 router, but despite doing what I think is necessary to open port 1723 in the config, when I carry out a port scan using Shields Up, it shows port 1723 to remain closed. All other ports I have opened show up as open, all other ports show up as closed. Here is my config (with private info XXXXed out):
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
hostname XXXXX
logging buffered 4096
no aaa new-model
no ip dhcp use vrf connected
ip dhcp excluded-address
ip dhcp pool sdm-pool
   import all
   lease 0 2
ip cef
no ip domain lookup
ip domain name
crypto pki trustpoint TP-self-signed-3284358714
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3284358714
 revocation-check none
 rsakeypair TP-self-signed-3284358714
crypto pki certificate chain TP-self-signed-3284358714
 certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
username cisco privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
username pcs privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
interface ATM0
 no ip address
 ip virtual-reassembly
 no atm ilmi-keepalive
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
 ip address
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
ip route Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 3389 interface Dialer0 3389
ip nat inside source static tcp  443 interface Dialer0 443
ip nat inside source static tcp  80 interface Dialer0 80
ip nat inside source static tcp  25 interface Dialer0 25
ip nat inside source static tcp  1723 interface Dialer0 1723
access-list 1 permit XXXXXXXXXXXXXXXXXXXX
access-list 23 permit
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723
dialer-list 1 protocol ip permit
no cdp run
banner login ^C
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
scheduler max-task-time 5000


Question by:pcsbay94
    LVL 10

    Accepted Solution

    Maybe I'm missing it, but I don't see where access-list 101 is applied to any of your interfaces... that'd probably be the issue. Functionally, the ACL is correct.
    LVL 11

    Expert Comment

    Are you sure that PPTP server has started? Do you have MS Firewall enabled on the host?
    Everything seems correct in your config.

    Author Comment


    I added the following line under the interface Dialer0

     ip access-group 101 in

    to bind it to the Dialer0 interface.  Then, as I could no longer surf the web or anything I added the following ports to access-list 101

    access-list 101 permit tcp any any eq 80
    access-list 101 permit tcp any any eq 25
    access-list 101 permit tcp any any eq 3389
    access-list 101 permit tcp any any eq 443
    access-list 101 permit gre any any
    access-list 101 permit tcp any any eq 1723

    However upon uploading the conf to the router I still couldn't get any access to the internet (web pages etc) so I blew away that conf and reuploaded the conf that I originally posted.  So I'm back to where I started.

    What did I do wrong with binding the access-list 101 to the dialer0 interface?


    LVL 11

    Expert Comment

    1. Direction
    2. you need udp 53 for DNS

    Author Comment

    Tvman od:

    Thank you for your concise answer. However, being new at all this Cisco IOS stuff, its so concise that I need you to expand on it a little for it to be helpful to me.  I don't understand what you mean by yoiur first point Direction.

    As for the second point I put in  
    access-list 101 permit udp any any eq 53
    as that is what I assume you meant but it made no difference - when I bind my access-list 101 to Dialer0 I cannot surf the web despite ATMo and Dialer0 both being alive.

    Any further help you could point out would be appreciated.

    LVL 11

    Assisted Solution

    You can apply ACL as inbound and outgoing. You need to make sure that source and destination IPs matched as desired. In your case "Dialer in" meand from the Internet. So this ACL will allow packets to port 80 and others in YOUR network. You need to apply it as

    ip access-group 101 out

    Besides that ACL 1 controls which IPs will be NATed

    sh ip nat translation

    will give you a list of all existing translations

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
    Let’s list some of the technologies that enable smooth teleworking. 
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now