Several people seem to be having trouble making their PPTP client work from behind a netscreen. PPTP uses port 1723/tcp and the GRE protocol (IP type 47, NOT port 47). GRE is an IP type, just like TCP and UDP are both IP types. Since GRE is a portless protocol, the NetScreen doesn’t know where to send the packet back to when it is performing NAT to a single IP address (PAT, port address translation) on the outside. There are 3 solutions to this:

1. Create a MIP for each machine that needs to run a PPTP client effectively giving the machine its own public IP
2. Create a DIP pool for outbound NAT so each machine gets a dynamically assigned public IP from your DIP pool
3. Create a VIP for GRE and forward that traffic to the host running the client

The first and second options require you to have a block of IP space. If you have a single IP or are using DHCP from your ISP, you will need to go with option 3. The drawback to option 3 is that only one machine will ever be able to use a PPTP client. Options 1 and 2 are fairly self explanatory, and I won't cover those here. So, if you need to create a VIP, here is what needs to be done:

1. Log into the Netscreen via telnet or ssh and issue the "set vip multi-port" command and save the config. You will have to reboot the unit for it to take effect.
2. Create a new service object called GRE. Instead of TCP or UDP, set the IP type to 47. Set the source and destination ports to 2048. Even though GRE does not have ports, you must set this.
3. Create a new VIP on your external interface. Select your GRE service, and put in the IP of the internal machine running the PPTP client.
4. Create a new policy from Untrust->Global. Source can be ANY, or it can be the PPTP server you are talking to. Destination should be the VIP. Service should be your newly created GRE object.

That's it. PPTP should work from the internal host.