Fidelio pounded out on the keyboard on or about 04-Jan-05 05:14:
Not a PIX expert but what you are trying to do really defeats the purpose of having a DMZ. If you open up the DMZ servers to allow them inside with unlimited access, you are opening your internal systems to possibly become compromised if one of your DMZ systems get compromised. The idea behind a DMZ is to allow them to be accessed by the public (internet) while maintaining integrity to your internal network. So you want to limit your DMZ server access to the inside (private) network to exactly what they need to talk to on the private side. So you should basically have groups of rules as in the following: private -> DMZ private -> internet DMZ -> private DMZ -> internet internet -> DMZ internet -> internal
With pair increasingly becoming more stringent to what it is allowed to access. I know this doesn't answer your question as I have only experience with Checkpoint's Firewall-1 product. Just felt that you should reconsider what you are doing. If you do not get the answer you need, let me know and I can certainly see what I can come up with. And I apologize if this is just a ramble on for you.
Jeff