I dont quite understand the explanation of your topology. It sounds like you have a 2610 connected to the DMZ interface of a PIX and to the Internet? Or are you decrypting the traffic on your DMZ, the outside of the PIX? Why dont you just use the PIX as the end-point of the tunnel if the traffic ultimately needs to get inside anyway? I guess a little clearer understanding of the topology would help.