Showing results for 
Search instead for 
Did you mean: 

Issue port forwarding PPTP in new router

Hi, I'm pretty new to Cisco setup, and I've managed to get a Cisco 1117 set up with a PPoE internet connection. I'm trying to port forward 1723 to a Windows server ( for PPTP VPN connections from home-based clients. I've used the below line:


ip nat inside source static tcp 1723 interface Ethernet0/2/0 1723


This seems to work flawlessly for a lot of people, but appears to do nothing for me. I'm thinking it might have to do with the ACL that I've set up, as per below:


ip access-list extended OUTSIDE-INSIDE
10 permit icmp any
20 permit gre any any
30 permit tcp any eq 1723 any eq 1723


Which for the purposes of intial config I've made as permissive as I feel reasonable. But it's not working. I've attached a sanitised running-config, if anyone could give me a hand, that would be fantastic!

Georg Pauwen
VIP Expert



looking at your config, it looks like you got access list 102 applied to the outside interface, which is either a typo, and you meant access list 104, or it is an empty access list ? Either way, the ZBF and access list applied to zoned interfaces does not work together, so remove that access list.


You also might want to inspect the PPTP control traffic (inspect) and just let the GRE pass.


That said, do you actually get an IP address on your outside interface ? Typically you would have to allow UDP 67 outbound from the self zone, and UDP 68 inbound to the self zone, in order for the DHCP to work... 


Make the changes marked in bold to your configuration:


Router#show running-config
Building configuration...

Current configuration : 10479 bytes
! Last configuration change at 10:59:29 UTC Sun Sep 12 2021 by admintemp
version 17.4
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
hostname Router
enable secret 9 xxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxx
aaa new-model
aaa session-id common
transport-map type console telnet-ui
banner wait ^C
banner diagnostic ^C
clock timezone UTC 10 0
ip name-server
ip dhcp excluded-address
ip dhcp pool dpool1
import all
login on-success log
subscriber templating
multilink bundle-name authenticated
flow record defaultApplicationTraffic
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect transport tcp flags
collect counter packets long
collect counter bytes long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
flow exporter export_Vlan1_2023215077
source Vlan1
transport udp 2055
flow monitor dat_Vlan1_2023215077
exporter export_Vlan1_2023215077
record defaultApplicationTraffic
sampler deterministic_1_32
mode deterministic 1 out-of 32
crypto pki trustpoint TP-self-signed-887792347
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-887792347
revocation-check none
rsakeypair TP-self-signed-887792347
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
crypto pki certificate chain TP-self-signed-887792347
certificate self-signed 01
crypto pki certificate chain SLA-TrustPoint
certificate ca 01

crypto pki certificate pool
cabundle nvram:ios_core.p7b
no license feature hseck9
license udi pid C1117-4PWZ sn FGL2523LAWW
license boot level securityk9
license smart url
license smart url smart
license smart transport smart
memory free low-watermark processor 70888
diagnostic bootup level minimal
spanning-tree extend system-id
username admin privilege 15 password 0 xxxxxxxxxxxxxxxxxxxxx
username admintemp privilege 15 secret 9 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username ciscot password 0 xxxxxxxxxxxxxxx
mode none
controller VDSL 0/2/0
operating mode vdsl2
vlan internal allocation policy ascending
class-map match-all exit
--> class-map type inspect match-any PPTP-IN-CLASS
--> match protocol pptp
class-map type inspect match-any INSIDE-OUTSIDE-CLASS
description Allowed_Protocol_From_INSIDE_to_OUTSIDE
match access-group name INSIDE-OUTSIDE
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol pop3
match protocol smtp
match protocol icmp
class-map type inspect match-all OUTSIDE-INSIDE-CLASS
match access-group name OUTSIDE-INSIDE
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
class type inspect INSIDE-OUTSIDE-CLASS
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
--> class type inspect PPTP-IN-CLASS
--> inspect
class type inspect OUTSIDE-INSIDE-CLASS
class class-default
drop log
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
interface GigabitEthernet0/0/0
no ip address
negotiation auto
interface GigabitEthernet0/1/0
interface GigabitEthernet0/1/1
interface GigabitEthernet0/1/2
interface GigabitEthernet0/1/3
interface Wlan-GigabitEthernet0/1/4
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
no atm ilmi-keepalive
interface Ethernet0/2/0
ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 input
ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 output
ip address dhcp
ip nat outside
--> no ip access-group 102 in
zone-member security OUTSIDE
no negotiation auto
ip virtual-reassembly
interface Vlan1
ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 input
ip flow monitor dat_Vlan1_2023215077 sampler deterministic_1_32 output
ip address
ip nat inside
zone-member security INSIDE
ip tcp adjust-mss 1460
ip virtual-reassembly
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http secure-port 1025
ip forward-protocol nd
ip dns server
ip nat inside source static tcp 443 interface Ethernet0/2/0 443
ip nat inside source static tcp 1723 interface Ethernet0/2/0 1723
ip nat inside source list outbound_nat interface Ethernet0/2/0 overload
ip access-list extended INSIDE-OUTSIDE
10 permit tcp any eq www
20 permit icmp any
--> ip access-list extended OUTSIDE-INSIDE
--> 10 permit icmp any
--> 20 permit gre any any
ip access-list extended Web_acl
10 permit ip any any
ip access-list extended outbound_nat
10 permit ip any
ip access-list standard 1
10 permit
20 deny any
--> no ip access-list extended 104
10 permit gre any any
snmp-server community public RO
line con 0
transport input none
stopbits 1
line vty 0 4
access-class 1 in
password xxxxxxxxxxx
logging synchronous
length 0
transport input ssh
line vty 5 16
access-class 1 in
transport input ssh
transport type console 0 input telnet-ui
! If contact email address in call-home is configured as
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
profile "CiscoTAC-1"
destination transport-method http