If the PIX is simply passing the PPTP packets through to an inside PPTP server, then you don't really need to do much on the PIX at all. It is just the same as allowing HTTP traffic through to an inside web server. So first of all get rid of all the "vpdn" type config on the PIX, that is only used if the PIX is terminating the PPTP VPN, which it is not.
Now, standard PIX connectivity says to allow packets from outside to inside you need a static and an access-list, of which you have neither. You will need to use another global IP address and map that through to the inside PPTP server, as such:
No, because that then overlaps with your PAT config. You can't set up a static PAT translation either because the GRE packets are not TCP/UDP based. To do this I'm afraid you need a second public IP address, or you can forget about your users connecting to the inside server and have them connect directly to the PIX as the PPTP server. This will then provide them with internal access also. To set that up it will be the "vpdn" config you had previously.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...