Thanks,

Should I be doing your method anyway or is the static method I'm doing normal practise or a bit of both.

I ask as I like to keep to best practices.

Well again it depends, if you have enough public IPs you may go with 1-1 static, but if you only have very limited IP then static port forwarding is a better choice

Moreover static port forwarding is unidirectional, that is only from outside to inside, for outbound you need normal nat(inside) and global (outside) for that host

Do rate if it helps !

I guess I will have to add an rule on the Outside interface to allow this to work as I need an external public IP access to a private IP inside on a particular port?

yes correct..you need ACLs besides the static port forwarding translation rule

I must of done something wrong, I added the port forward (PAT) from the outside interface to the private IP of the server on tcp/80 just like your useful example.

I then add a rule on the outside interface to allow any ip to the private IP on port 80, but I got get access from the Internet.

Have I missed something, do you have another example?

Many thanks!

Use the command line and add the following

static (inside,outside) tcp interface 80 80

and in the outside access-list add

access-l permit tcp any host y.y.y.y eq 80

y.y.y.y-->outside interface IP

This is were I went wrong I think:

access-l permit tcp any host y.y.y.y eq 80

So because I have "bound" port 80 to my server the permit rule above knows how to get to the private IP?

Does this mean I can't use port 80 on another webserver?

Thanks

correct..if you are translating inbound traffic on outside interface for port 80 to a specific server, you cannot use overlap or duplicate statics to use port 80 again