You definately would need some kind of destination NAT. The firewall would have no way to know which traffic to send to which internal host otherwise.
Aigarz gave a suggestion for a starting point to cover your RDP connection, however, the VPN termination is more difficult. You cannot match a NAT rule on GRE, as it is a protocol and not a port number. The SRX has a PPTP ALG that I believe is supposed to handle the necessary magic for translating GRE sessions.
For a starting suggestion, try setting up your destination NAT (incoming connections) something like this:
security {
nat {
destination {
pool srv-RDP {
address 10.0.1.196/32;
}
pool srv-PPTP {
address 10.0.1.198/32;
}
rule-set untrust-to-trust {
from zone untrust;
rule RDP {
match {
source-address 0.0.0.0/0;
destination-address 192.168.1.10/32;
destination-port 3389;
}
then {
destination-nat pool srv-RDP;
}
}
rule PPTP {
match {
source-address 0.0.0.0/0;
destination-address 192.168.1.10/32;
destination-port 1723;
}
then {
destination-nat pool srv-PPTP;
}
}
}
}
}
}
You'll also want to make sure that your PPTP ALG is enabled:
user@srx> show security alg status | match PPTP
PPTP : Enabled
Set your security policies to allow the junos-pptp service, but you don't need the junos-gre service since the ALG takes care of that (as far as I know):
from-zone untrust to-zone trust {
policy VPN-Test {
match {
source-address any;
destination-address addr_10_0_1_198;
application junos-pptp;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
That should get you going in the right direction. I can't promise that that's 100% of what you need to make it work, I have not done this exact configuration and I don't have a place where I can build it to test it.