It's a private IP but I was given the impression that you could still access a webpage by using the public IP as long as the correct routing was configured in the PIX firewall.

All you need is a static and an access-list statement.

public ip = 1.1.1.1

private ip = 192.168.1.10

static (inside,outside) 1.1.1.1 192.168.1.10 netmask 255.255.255.255

access-list permit tcp any host 1.1.1.1 eq 80

access-group in interface outside

If 1.1.1.1 is also the outside address of your pix then you can do this

static (inside,outside) interface 192.168.1.10 netmask 255.255.255.255

or port forward

static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255

As far as dns goes, the solution for that depends on where your dns server is. If it is outside then you can do dns doctoring, if it is inside and is returning the outside address you can do hairpinning on the inside interface with pix 7.

The dns is handled by the server(this is a single server situation). I have entered in those commands before(i.e. the static, access-list, and access-group commands) and had no luck. If I go to a browser and type in the IP address of the computer hosting this apache server, it comes up just as it should. But, should it work the same way if I come from an outside ip address such as...I go to my house, open a browser and type in "http://1.1.1.1" will it route to the apache server on the internal address and come up properly? If there is any other information that you need please ask and I will provide what I can.

And thank you to all who are trying to help my poor cisco ignorant self.

Yes, the pix would make the translation between the public address, 1.1.1.1 and the private one. Could you possibly post your pix config? Remove passwords etc. Give us the inside address of the server and the address you are attempting to hit from the outside, and is this address the same as your outside interface on pix?

There was a tcp interface forwarded to 192.168.100.11 I removed it because it was conflicting with the forward I was trying to do to 192.168.100.68. Not to mention that there is no 192.168.100.11 within my network. That may have been leftover from before they moved when they still hosted their own website. The outside IP address I would rather not give out. the outside address of the PIX is our one and only public IP address. So yes it is the same. Modified config attached...

Access-list is wrong, this would only allow a source of 192.168.100.68 to a destination of 1.1.1.1. Change it to this...

no access-list outside_access_in permit tcp host 192.168.100.68 host 1.1.1.1 eq www

access-list outside_access_in permit tcp any host 1.1.1.1 eq www

access-group outside_access_in in interface outside

This can be removed...

static (inside,outside) tcp 192.168.100.68 www 1.1.1.1 www netmask 255.255

.255.255 0 0

and if you don't have a 100.11 you can remove these too...

static (inside,outside) tcp interface smtp 192.168.100.11 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp interface 32000 192.168.100.11 32000 netmask 255.255

.255.255 0 0

static (inside,outside) tcp interface 32001 192.168.100.11 32001 netmask 255.255

.255.255 0 0

static (inside,outside) udp interface 32000 192.168.100.11 32000 netmask 255.255

.255.255 0 0

static (inside,outside) udp interface 32001 192.168.100.11 32001 netmask 255.255

.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.100.11 pop3 netmask 255.255.2

55.255 0 0

Thank you again for the advice. I put in those exact entries(substituting our public IP for 1.1.1.1) and I still get page cannot be displayed. Is there anything else I'm missing? the config is still the same with the exception of the items you said to change.

Could you post config again just to be sure. Substitute 1.1.1.1 as before.

From the inside you are doing http://192.168.100.68 and it is working?

From the outside you are doing http://1.1.1.1 and it is not working?

That is correct.

Here you go...I really appreciate all of this.

Is the server default gateway 192.168.100.100?

yes

Sorry, I'm pretty much out of ideas. It should work fine. You might as well get rid of access-lists 140, smtp.1, and smtp.2 as they are not being used.

When trying from the outside you aren't coming across the vpn tunnel you have configured are you?

Definitely not coming across the vpn. It needs to be accessible to the general public. Thanks again for all your time and effort. I'll sit here and ponder it some more. The guy who was here before me didn't set this up. He called in another company to do it for him so there are some entries in there that probably don't need to be. The only ip addresses that I changed in the config other than the pulic to 1.1.1.1 were changed to x's. Anything that is in there as 0's or the 10.211 which is a separate IP pool that connects to the same server are all the exact IP addresses. Don't know if that makes a difference.