PIX Lan-to-DMZ connectivity

Yes, but in order for that access to work, the PIX needs to know what address translation to use when going from the inside to the DMZ. That's accomplished by using a 'static' command, or by using a 'nat 0 access-list', or by using a nat/global pair.

Also, keep in mind that UDP is effectively two unidirectional connections, one from the inside to the DMZ and the other from the DMZ to the inside. If the inside host initiated a UDP connection towards the DMZ, then by default (if there is no access-group applied to the inside interface) the flow would be permitted and replies from the DMZ to the inside would be permitted until the UDP flow timed out according to the PIX 'timeout' parameters. But UDP does not have "connections" so the PIX cannot tell whether silence on the UDP flow is because the flow is finished or because the two ends just don't have anything to say right then. If the flow goes idle for a while and the PIX times it out, and then the DMZ host tries to send something back to the inside, it will not be permitted: the PIX will see those packets as if they were a new flow from the DMZ to the inside that should be blocked by default.

That makes sense. Many thanks for your advice; I now have it working using the nat/global config you suggested.

Thanks again,

Peter