Hi Pantunes, thank you for being so patient wth this issue.
I haven't found anything helpful in wireshark log (most likely due to my unfamiliarity with this program). Before I contacted Microsoft first time I was certain that the issue is somewhere between physical host and virtual servers but they managed to convince me that I was wrong. They said that beacuse they are unable to telnet on port 1723 from outsite it means that the port is closed on the firewall but this is incorrect. If the port is closed on the destination server the telnet wouldn't work even if the firewall is configured correctly. So I decided to install RRAS server on phisical host and see if I can then connect via telnet. I was right - after installing RRAS on physical host (and changing the nat pool address/policy address on the firewall to point to physical host ip address) I managed to establish telnet connection on port 1723 to my physical host from outside.
So I then called Microsoft and advised that this is an evidence that the problem is between physical server and VMs. They logged on remotely again and were investigating for almost 2 hours but only thing they were doing was changing the authentication methods and allowed protecols within RRAS configuration options. I talked to them and said that I was doing the same for almost a week and that they are waisting their time as RRAS server and port 1723 is not the only port affected and that I am also unable to telnet on port 22 to my exchange server which is also a virtual machine.
The engineer then put me on hold and had a conversation with someone (most likely more senior Engineer). After 20 minutes he said that I will have to uninstall Symantec Endpoint Protection from both physical and Virtual servers using cleanwipe and then to call them back. I couldn't see a point in doing this as SEP was already disabled on all the machines. I'm sure that he only asked me to do this to buy more time but I did that anyway and guess what!? It worked!
The SEP installed on the phisical host was causing the problem. It was disabled the whole time hence I didn't even think about uninstalling it.
I can easily say that that was most frustrating problem I was dealing with in my 8 years in IT. It all make sense now as this was the only thing between phisical host and VMs. Why SEP keeps ports closed even if you disable the program that another mistery.
If you are facing any Host-->VM communication issues make sure SEP is unsintalled using cleanwipe. Aparrently uninstalling SEP from Programs and Features isn't enough and this can leave some sep stuff behind.
Thank you all for your input but most importantly Pantunes. In your last reply you asked about firewall which was the real source of the problem! I'm sure that someone mentioned firewall before but I really cound see a point of uninstalling it if it was already disabled. It simply doesn't make sense.