Pix 501 authenticate inbound basic question

[nerdasaurus]

I am setting up a PIX 501 to segregate a portion of our network. I want anyone from the outside interface to have to authenticate via http with a radius server in order to talk to any hosts on the inside interfaces. I have the radius server setup and working (can log into pdm with radius credentials). Couple basic questions:

How do I get the http auth page to come up instead of pdm? So if my router is at 10.5.1.1 (outside interface), I want to navigate there (https preferrably) and see a simple auth page. Instead I see PDM.

Second question - what NAT is required? I have PAT setup from inside->outside, but when I try to add an outside->inside aaa authentication rule, PDM won't let me as it complains I am missing a static NAT rule for one of the interfaces. (exact message: "No Static Network Address Translation (NAT) rule is configured for the destination host or network on interface outside. Would you like to add a static NAT rule for the host or network now?" If I hit OK, it opens up a dialog to edit the inside interface and add a static NAT for the outside interface. This doesn't make sense to me. I want the source (outside address) to stay the same when it comes into the inside interface. I want inside addresses to use PAT when they leave via the outside interface).

Thank you for your time, I appreciate any pointers you can give!