Cisco 857 Router Port 1723 remains closed

Hi. I have recently installed a Cisco 857 router, but despite doing what I think is necessary to open port 1723 in the config, when I carry out a port scan using Shields Up, it shows port 1723 to remain closed. All other ports I have opened show up as open, all other ports show up as closed. Here is my config (with private info XXXXed out):
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
hostname XXXXX
logging buffered 4096
no aaa new-model
no ip dhcp use vrf connected
ip dhcp excluded-address
ip dhcp pool sdm-pool
   import all
   lease 0 2
ip cef
no ip domain lookup
ip domain name
crypto pki trustpoint TP-self-signed-3284358714
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3284358714
 revocation-check none
 rsakeypair TP-self-signed-3284358714
crypto pki certificate chain TP-self-signed-3284358714
 certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
username cisco privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
username pcs privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
interface ATM0
 no ip address
 ip virtual-reassembly
 no atm ilmi-keepalive
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
 ip address
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
ip route Dialer0
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 3389 interface Dialer0 3389
ip nat inside source static tcp  443 interface Dialer0 443
ip nat inside source static tcp  80 interface Dialer0 80
ip nat inside source static tcp  25 interface Dialer0 25
ip nat inside source static tcp  1723 interface Dialer0 1723
access-list 1 permit XXXXXXXXXXXXXXXXXXXX
access-list 23 permit
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723
dialer-list 1 protocol ip permit
no cdp run
banner login ^C
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
scheduler max-task-time 5000


Who is Participating?
Maybe I'm missing it, but I don't see where access-list 101 is applied to any of your interfaces... that'd probably be the issue. Functionally, the ACL is correct.
Are you sure that PPTP server has started? Do you have MS Firewall enabled on the host?
Everything seems correct in your config.
pcsbay94Author Commented:

I added the following line under the interface Dialer0

 ip access-group 101 in

to bind it to the Dialer0 interface.  Then, as I could no longer surf the web or anything I added the following ports to access-list 101

access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 25
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 443
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723

However upon uploading the conf to the router I still couldn't get any access to the internet (web pages etc) so I blew away that conf and reuploaded the conf that I originally posted.  So I'm back to where I started.

What did I do wrong with binding the access-list 101 to the dialer0 interface?


The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

1. Direction
2. you need udp 53 for DNS
pcsbay94Author Commented:
Tvman od:

Thank you for your concise answer. However, being new at all this Cisco IOS stuff, its so concise that I need you to expand on it a little for it to be helpful to me.  I don't understand what you mean by yoiur first point Direction.

As for the second point I put in  
access-list 101 permit udp any any eq 53
as that is what I assume you meant but it made no difference - when I bind my access-list 101 to Dialer0 I cannot surf the web despite ATMo and Dialer0 both being alive.

Any further help you could point out would be appreciated.

You can apply ACL as inbound and outgoing. You need to make sure that source and destination IPs matched as desired. In your case "Dialer in" meand from the Internet. So this ACL will allow packets to port 80 and others in YOUR network. You need to apply it as

ip access-group 101 out

Besides that ACL 1 controls which IPs will be NATed

sh ip nat translation

will give you a list of all existing translations
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.