Okay, I think we're really nearly there mate. Your router is ip-unnumbered, but its acl blocks gre traffic from the pptp server coming back to the pix. I think all you're going to need now is a line like
access-list 101 permit gre host <pptp server> host 65.198.124.68
Where 65.198.124.68 is the static address you used to translate your internal 192.168.1.50 machine.
So your access list on the router ends up looking something like;
access-list 101 deny ip 65.198.124.64 0.0.0.7 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 65.198.124.65
access-list 101 permit icmp any 65.198.124.64 0.0.0.7 echo-reply
access-list 101 permit tcp any any established
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq www
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq 443
access-list 101 permit tcp any 65.198.124.64 0.0.0.7 eq smtp
access-list 101 permit udp any eq domain any
access-list 101 permit gre host <pptp server> host 65.198.124.68
Also, although it's not relevant to the problem you've got, the subnet mask of your outside interface of the pix is wrong. The line should read
ip address outside 65.198.124.66 255.255.255.248
rather than using 255.255.255.0. This won't affect this problem at all, but I *think* it will mean that your local machines can't reach websites on the 65.198.124.0 range outside of your 65.198.124.64 - .71 range, because the pix will think they're on the same subnet as it's outside address, so it will arp for them, rather than forwarding that traffic to the router. You could easily test that by trying to get to websites on the 65.198.124.0 range.
I *think* this should now work ... but I may have missed something ...
Best of luck!
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
