I can’t determine why you don’t just terminate the tunnel on the PIX’s DMZ interface but regardless, your solution should work fine. I used to do that all the time before the PIX supported IPsec. Just set a static and conduits in the PIX to the tunnel end point.
