Stepped out for a bite, sorry....OK, this firewall is for our data center and is for production only. No users are actually attached. What I am trying to make happen is this: Our webserver on the dmz needs to be available for clients from the outside. It needs to communicate with our app and db servers on the inside. All of them need www access for updates and ntp related items etc.... I will make the changes you suggested and try back.. Thanks!

Also, does this have anything to do with a NAT/Global issue? My self-taught understanding was:

Higher to lower security - use nat/global

Lower to higher security - must use static routes and acl's.

So, for inside to dmz traffic, do I need a nat/global command, or maybe a nat 0 ?

It sounds like you don't really need your inside acl then. If you need to restrict traffic from inside to dmz then fine, but if not what is it's purpose, to restrict traffic to outside? If you write it for that purpose you will just have to make sure you allow everything, www, https, dns, ntp etc.

It worked! I ended up just changing the ace you suggested on the ACLDMZ_IN acl. Both inside and dmz systems can access www as well as each other respectively (per the acl's). Again, much appreciated. 5's across the board!

Question: Is the PIX flexible enough to allow acls' and static routes to be used on any interface inbound or outbound regardless of security level?

Here is what my (working) acl's look like now:

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list acl_out; 4 elements

access-list acl_out line 1 permit tcp any host 10.10.70.65 eq www (hitcnt=0)

access-list acl_out line 2 permit tcp any host 10.10.70.65 eq https (hitcnt=0)

access-list acl_out line 3 permit tcp any host 10.10.70.65 eq ftp (hitcnt=0)

access-list acl_out line 4 permit tcp any host 10.10.70.64 eq www (hitcnt=0)

access-list ACLDMZ_IN; 6 elements

access-list ACLDMZ_IN line 1 permit tcp any host 10.10.20.200 eq 8080 (hitcnt=25)

access-list ACLDMZ_IN line 2 permit tcp any host 10.10.20.190 eq 8080 (hitcnt=12)

access-list ACLDMZ_IN line 3 permit udp any host 10.10.70.234 eq domain (hitcnt=26)

access-list ACLDMZ_IN line 4 permit tcp any any eq www (hitcnt=269)

access-list ACLDMZ_IN line 5 deny ip any 10.10.30.0 255.255.255.0 (hitcnt=0)

access-list ACLDMZ_IN line 6 deny ip any any (hitcnt=0)

Don't confuse a "static" and a "static route" as you've been calling it. This is a static route

route outside 0.0.0.0 0.0.0.0 1.1.1.1

In pix 6 you cannot specify an acl out and interface, only in.

access-group acloutdmz out interface dmz

Got it - static routes and static nat...I was speaking of nat. So on our version 6.3 acl's are for inbound only. We have the software and ability to upgrade to pix 7.0.... do you recommend?

I'm a big proponent of "if it's not broke, don't fix it"!

Check out the release notes for 7. I wouldn't upgrade only to be able to write acl's "out" an interface. If you want to gear your firwall learning towards the new ASA and away from pix, then upgrading to 7 would help you out.