I should've mentioned that in my first post. I always forget the important little details. I'm using Windows 2000/XP PPTP VPN (XP Client, 2000 Server). If I get a PIX 501 or 506, or some other router/firewall that supports L2TP for home, I will probably start using 3DES L2TP. I don't know if there will be something I will have to set up differently to use L2TP, but I don't think that's in the near future.

Then you should be okay by opening IP GRE. You may also need to open TCP port 1723.

~rls

I found a document on permitting PPTP connections through the PIX. It says that static mappings must mbe made. Is there any way to tell the PIX to allow GRE to any host that is initiating PPTP from the inside, or must I set up static routes?

Since the pptp client initiates the connection on tcp 1723 the pix doesn't match the inbound gre connection against the xlate table and so drops the packet in the absence of a permitting conduit or ACL.

You will either need to do a permit all gre for those addresses used with the nat/global statement, or only allow gre inbound for those addresses assigned to vpn clients via static statements.

~rls